What are Reddit's favorite Vulnerability Scanner Apps?
Burp Suite
OpenVAS
WhiteSource
Nikto
Censys
Core Impact Pro
skipfish
Probely
Top Reddit reviews mentioning Vulnerability Scanner Apps:
Footnote says:
> ^ Although we observe these scripts query the Facebook API and save the user’s Facebook ID, we could not verify that it is sent to their server due to obfuscation of their code and some limitations of our measurement methods.
If you are sending the comms through Burp, you can find out fairly easily without having to wrestle with de-obfuscating code.
In addition to the answers already given, OpenVAS (http://www.openvas.org) is a free-to-use fork of an older version of the commercial Nessus scanner. It uses the same vulnerability feeds, though sometimes newer issues may be delayed up to a week in the free feeds. It also doesn't have all the bells and whistles the commercial scanners have these days. Hard to argue with free, though.
TcpDump
It's a commandline/console package, login as root via SSH and use it
http://www.tcpdump.org/tcpdump_man.html
Or you can try using BurpSuite proxy, you'll need to start the proxy on your computer, then point your phone to it in the wifi settings.
Each has their pros/cons.
tcpdump is low-level and captures EVERYTHING.
Burp sits in the middle and can sniff out HTTPS, but apps/sites that double check certificates will be able to detect this.
Burp will let you set up rules to intercept certain packets; but it's all done live. Where tcpdump will let you capture/save the packets so you can go back and look through them all.
I usually use tcpdump first, then I'll turn on burp and setup rules to intercept only the packets I want.
I'm fond of Renovate, which can be used to update dependencies, configs, and the like. I think it would slot in near Helm and Argocd in your ecosystem there.
Basically, your build system would update something, and Renovate would go change the configs in Github, and then Argocd would reconcile the new configs with the cluster.
Wireshark is a good one but you’d have to make sure that your network card supports monitoring and it may be hard to find the particular request you need depending on your familiarity with the program.
Burp suite I think is a better option for this if you’re able to configure a proxy in your network settings.
Burp Collaborator provides this in an easy to use form, full write-up available.
It also supports HTTP/S and SMTP, should you wish to explore other vectors for exfiltration.
You could check and see how they're sending the data.
Download the community edition of this tool, which is used, among other things, to inspect web traffic between the browser and server: https://portswigger.net/burp/communitydownload
There's a little set up you would have to do. Navigate to your bank's page normally, then go to Burp and turn intercept off so traffic can flow freely. Configure your browser's proxy settings to use Burp and install the Burp certificate in your browser (Burp provides instructions for both of these). Then, just log in to the site, and you should be able to see how the login information is sent.
In my experience, it's important that you and your organization understand what the scope and definition of "get an external pen test" is. Vulnerability assessment and penetration testing are not one in the same. If you're in a regulated environment these distinctions are crucial.
The tools you'll most likely have access to are port and vulnerability scanners. These are just quick information gathering tactics in the penetration testing process. A penetration test should actively attempt to compromise a system not just see if it's running Apache. As far as performing port and vulnerability scans on your systems it's pretty simple from a technical perspective but note there may be legal concerns depending our your environment and where your scans are sourced from.
As far as tools, OpenVAS will get you Nessus like reporting.
(Nessus)[http://www.nessus.org] is a solid product, especially at $1200 per year.
(OpenVas)[http://www.openvas.org/] is an open source fork of nessus, but doesn't have as many vulnerability pluggins as nessus.
Have you considered web application firewall(s) to help protect your clients?
On a free plan you can set up a proxy for your browser and catch every request to and from your browser. That’s how I use it at least. Check it out: https://portswigger.net/burp/
You can use it to see all requests to the api with the interceptor feature
I should have phrased that better. my uneducated guess is that the release note in this case was a copy/paste from commit messages created during development. possibly whomever did the commit was using an automated solution (e.g. whitesource) for version bumps, which provided an actual message to the user after updating their vehicle. if the tool is not consistently used, patch notes may not make it to the end user.
Large well known established open source software projects have had serious security problems too. Not just "I can crash your server then post about my bravery on reddit ", but "I can escalate privilege and pwn your shit" stuff.
First result on google for security bugs in open source: Top Open Source Security Vulnerabilities for 2016, featuring glibc, android, openssl, linux kernel, mysql and openjdk.
None of it is really newsworthy if we've been paying attention. We generally accept that shit happens, try to design our systems in layers to resist a single point of compromise, and hope we can race the bad guys to fix shit before they exploit it.
And maybe that bears repeating. Folks that malicious exploit a bug to disrupt other people's systems are the bad guys. Folks that make a point to notify those bad guys as early as possible in the interval of time from when a fix is published and when it widely distributed, are also the bad guys. (cue the cries of "Oh but there was no possible way to know those tweets were going to be instrumental in the commission of multiple felonies.")
This would once have been non-controversial, but some folks somewhere have misplaced their moral compass.
I tried posting to /r/darknetmarkets but the mods said I didn't provide enough proof so they removed this post. Truth be told, this was a pretty easy (and lucky) find that LE could have done the same. I say it's lucky because when I did some investigation into the IP, it appears that this is a new server.. the admin is likely moving around to avoid detection.
I found this on Censys.io when I queried for the address of Wall Street's forum... and this IP popped up.
Openvas is mainly a network vulnerability scanner. This is similar to the local security check part of openvas, which is not as commonly used.
I've used neither the local security check part of openvas nor Vuls, so can't really tell how they compare in terms of signatures, except to say I think openvas relies on OVAL and this seems to rely on CVEs directly.
As far as scanning is concerned, and if you are on a tight budget, then OpenVAS (http://www.openvas.org/) is a decent option, it's a a free security scanner. I'll admit that it's not particularly easy to use, but once it's up and running it works pretty well.
For logging etc. EventSentry (http://www.eventsentry.com) can help with a variety of PCI requirements, including real-time (event) log monitoring, file checksum monitoring, software (version) monitoring & inventory, AD changes, file access tracking (part of the compliance features) and more.
Burp ist etwas, das man m.E. kennen sollte. Schau es Dir an, unseren Entwicklern fällt meist das Kinn auf die Brust.
Man kann Daten verändern, nachdem der Browser sie weggeschickt hat. Damit umgeht man alle Filter und Sicherheitsvorrichtungen im Browser.
Damit kann man Cookies Brute-forcen, Code einschmuggeln etc. Sollte man kennen, wenn man Security-Experte ist.
You might want to check the https://portswigger.net/burp. Unfortunately, the community edition lacks the "automated" tools, but you can request the trial of the professional edition for one month.
Burp Suite lets you look at web traffic between your browser and your favorite web apps! There's a professional version that definitely has a lot of cool extra features like a comprehensive vulnerability scanner, but the free version is great for starting out. https://portswigger.net/burp/documentation/desktop/getting-started/installing-burp
If you visit a website, your browser downloads the HTML, CSS, JavaScript, images, etc. It's on your computer, so you can do anything with it you want. With inspect element, you can change your version of the HTML. If you submit a form with the edited HTML, the server can't verify if you changed anything, because it all happened client side. You could also make your own HTML page with a custom form that sends a request to another page (although some sites block requests from other referrers).
It is easier to intercept the data with a proxy like Burp or ZAP (Zed Attack Proxy). There are also some browser extension that allow you to view and modify http requests.
This is why you should never trust any client side input.
To brute force web forms I prefer to use Burp Suite's Intruder (https://portswigger.net/burp/help/intruder.html). Compared to Hydra and other similar tools, it gives you much more control on what's going on with the attack. It is also able to handle Basic Auth, with some minor tweaks.
Burp is a proxy/fuzzer suite, https://portswigger.net/burp/ you could use it to interact with the device once you're in the middle.
In order for wire shark to see the packets you need to be in the middle of the connection, or on a shared media network. If these devices are Wi-Fi you need to do a monitor mode capture, which is a OS/driver/Wi-Fi device specific procedure. Your Wi-Fi chipset must have monitor mode available as well.
Just basic randomness tests with Burp Sequencer https://portswigger.net/burp/help/sequencer_tests.html
I should really test it with something much better, like TestU01, which I've read good things about
And this is precisely why we use tools like BlackDuck and Whitesource in large corporate environments where cargo-culting code from StackExchange and GitHub as well as hundreds of thousands of FOSS projects gets caught and ripped out.
It’s a major legal and compliance risk to include that in most applications unless you have free and clear authorization and a compatible license to use it in your project.
Oh man, I can just imagine making little cartoon characters for Bash, GNU and Kernel, something like this.
OpenVAS have made one. Doesn't appear to be packaged in any repos for common OS's, so you'll have to do it old school and compile it. Looks like an autotools project.
Never used it myself, so YMMV.
Can't say I understand the question fully. But out of the sake of trying. I use burpsuite http://portswigger.net/burp/ when doing blackbox testing of software. $300 / year is expensive. I've previously used webscarab. Both require an understanding of whats happening, so it' not click and shoot.
If you want more click and shoot there are some more expensive commercial options. Your mileage may vary.
Does this even remotely answer your question? A slightly different answer may be something like OpenVas. http://www.openvas.org/ . I have no clue what you're asking for. Just offering various sec tools. Don't be stupid with them!
Nessus and Acunetix do two quite different things. Nessus will not find XSS or SQLi issues in a web app for example - it will find problems where for example a reported Apache version is out of date and has a security vuln, and other OS level issues. It will not find problems with poorly written web code, unless there is a specific widely publicised flaw in a well known product.
Backtrack has a ream of tools for attacking / pen testing sites and servers. (for example Nikto but you do need to know what you are doing to use them.
Acunetix is a more accessible product , but of course you pay for that privilege. If your time is more important than your money, I would say get both Nessus and Acunetix.
If money is an issue, then utilising the array of tools in Backtrack is probably the best solution, but it's intimidating and will soak up a lot of your time.
> how do you script getting an user’s profile information?
Good question.
I proxied Ingress through Burpsuite Proxy. This let me capture each Ingress player lookup query and modify it to my needs. The script I wrote automated this. I just fed my script a flat text file of in-game names (IGNs) I wanted to monitor for bot activity.
Example:
- I set up Burpsuite Proxy to capture traffic between my phone and my laptop. This usually requires installing Burpsuite's certificate on your Android/iOS device so no SSL warnings show up.
- Start Ingress
- Observe some random player action in COMMs, such as "ABC" makes a link
- In Ingress Redacted, I would long-press on "ABC" to query for the information on "ABC" user
- Burpsuite Proxy captures my query attempt for "ABC" and lets me modify it
- I replace "ABC" with "XYZ"
- Now I can anonymously look up the stats for "XYZ" without "XYZ" knowing it (and without "ABC" knowing it)
I just automated this process to look up dozens of suspected bot accounts on an hourly basis.
> Did you use a modded version of the client app
No.
> was there a different mechanism to script that data?
See above.
> How were you not flagged for using unauthorized software?
I used authorized software. I just proxied it.
You said you have a degree in Computer Science so I didn't know if they covered that in your courses.
Let me tamper down your expectations. You aren't going to be able to go after Facebook & Youtube right off the bat. These kind of skills take years to develop, and even then the chances of "hacking" Facebook is a combination of luck and expert level skill. So with those expectations in mind I can give you a little guidance.
First thing is you need to learn about the HTTP protocol, this is an essential skill in web hacking. This tutorial should help get you up to speed. Then grab a copy of Burp Suite and start playing around with different sites using it. DO NOT start with Facebook or Youtube, they are very complex and you will quickly be overwhelmed. Look for smaller simpler sites to get your feet wet.
Spidering a website does not involve any file name guessing, it just follows all the links on the site recursively. To guess filenames using wordlists use the Content Discovery feature.
I'm not sure how to do it in python, but check out Burp Suite
BurpSuite is a lesser known tool that’s a bit more advanced than Charles (last I checked). You can actually perform a SSL MitM and replace the SSL certs. I’ve found it to be a lifesaver in certain applications.
Burp Suite Pro version has a "Collaborator" tool that uses randomly generated dns hostnames in requests to tie blind injections back to a specific request. If you're serious about finding web app vulnerabilities then $350 is a really low price to pay for the features you get in the Pro version. https://portswigger.net/burp/help/collaborator.html
You can try some free software yourself, which is basically what most of the "cheap" pen testing companies use anyway.
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Main
It's not the best, but it'll at least give you some feedback if your site is really bad or good.
There's a feature under 'Engagement Tools', named 'Content Discovery'. That does exactly what your asking but is only available for Pro versions.
https://portswigger.net/burp/help/suite_functions_contentdiscovery.html
And, BurpSuite's scanning is much more powerful and thorough than Nikto, in fact.
The easiest way (IMO) is going to involve a man in the middle hack.
Basically I would try and do something like this:
Phone requests webpage
Pass request through a linux server setup as a VPN (don't setup VPN's on your colleges network, they will probably notice this)
Have program on server doing sniffing (burp suite)
if url == something we're looking for swap it out before sending it back to phone
I'm sure someone here or over on /r/AskNetsec can come up with a more elegant solution though.
You should check out burp proxy as well. Great tool and makes a lot of that sort of thing very easy, like matching hosts and including or excluding certain traffic. You can export the cert and have this sign certs on the fly to MITM https requests. You can have it pause the traffic and let you modify the request before it goes out. It's a really great tool.
It can be helpful with reverse engineering for sure. I've used it to MITM my android traffic and figure out what an app was sending out and getting back. The appuse VM includes it and makes it easy to RE android malware and that sort of thing. It's great for reverse engineering some privately used REST API.
You can buy Burp suite (https://portswigger.net/burp/), 285€/y/user. Not cheap, but the semi-automated scanner is very good for that price. There's also the free version that has no scanner, which is very good for manual pentesting, but there you must know what you're doing (so it's not the best for casual security testing).
Assuming you're using an infrastructure-as-code approach, you can use something like https://www.whitesourcesoftware.com/free-developer-tools/renovate/
i.e. set up a Helmfile with your installations and check it in somewhere; Renovate will monitor that and make pull requests when a new version is available.
In this case I would think Tenable's free offering might be of value. There are restrictions compared to the paid ones but for a small home network it is often more than enough.
I was hearing that Rumble.run is doing vuln scanning now which is agent based asset management. They also have a home free offering.
Obviously OpenVAS (http://www.openvas.org/) is the open source version of Greenbone (which might explain why you are seeing a "sale price).
Hopefully that helps.
Hi, is there any error when you add the generic ci/cd driver? Share the debug log to investigate this further. Check this document about Integrating Burp Suite Enterprise Edition with other CI/CD platforms. In addition, try to set up a self-hosted agent check it again.
Das halte ich für eine Trugschluss. Siege beispielsweise: https://www.whitesourcesoftware.com/resources/blog/3-reasons-why-open-source-is-safer-than-commercial-software/
Persönlich sehe ich vor Allem folgende Vorteile bei Open Source: Keine Abhängigkeit von Drittfirmen, die bankrott gehen und Software nicht mehr fixen können. Bugs können frühzeitig entdeckt und behoben werden, das funktioniert am Besten, wenn man viele Entwickler hat. Eine Firma hat u.U nur wenige MA, die wahrscheinlich auch andere Dinge zu erledigen haben…
Safety by obscurity ist keine gute Leitlinie!
There are good reasons why the Apache and MIT licenses lead with more than half of the total open source projects - https://www.whitesourcesoftware.com/resources/blog/open-source-licenses-trends-and-predictions/ with GPL trailing at 20% (10% for v2 and 10% for v3).
GPL and AGPL are not about freedom - they are about restrictions and ensuring a level playing field. True freedom (no conditions) is achieved through public domain and in jurisdictions that don't recognize the same - a permissive license with no attribution clause.
I think your example sort of proves my point: in your example, such a company is still using open source. Your prediction is basically that they would stop using gcc and replace it with a proprietary or homemade solution. But no, they keep using gcc, even if they spend time applying patches. I can only guess that this is a rational decision: even with this effort, using open source is still better value than alternatives. This is my point.
Also, people are still using openssl (I guess you mean this, not openssh), which was much more critical than log4j. The problem got fixed, and open source continues to grow in economic importance. IN particular, the openssl project saw a large increase in bug reports following heartbleed: rather than abandoning it, the users (companies mostly) worked on fixing it.
https://www.whitesourcesoftware.com/resources/blog/how-the-heartbleed-vulnerability-shaped-openssl/
> SSL certificates specifically should only be bought from a small group of authorities trusted worldwide or they’re essentially pointless
https://www.censys.io/certificates/2028b5221de277ef1e961f4e3182a3c500ee5aa67bf5b544d3a6d58a5ea6777d
> C=RU, ST=Moscow, L=Moscow, O=RU-Center (ЗАО Региональный Сетевой Информационный Центр), CN=RU-CENTER High Assurance Services CA 2
> Browser Trust
Apple Trusted Intermediate
Microsoft Trusted Intermediate
Mozilla NSS Trusted Intermediate
Not sure if you're being sarcastic, but i'll answer you anyway. A vulnerability scanner is a piece of software that checks for rudimentary security flaws in a piece of software (desktop, or web application). It does so by using one of several techniques, namely: dynamic or static analysis. As the name suggests, dynamic analysis is the process by which you test the software as it runs. Static analysis requires access to the software code, and looks at the actual logic of the software.
Examples: http://cirt.net/nikto2 http://www.tenable.com/products/nessus
You can try setting a proxy with the http_proxy and https_proxy environment variables. Not all applications respect this though. You can also try Invisible Proxying if the script interacts with a specific host -
https://portswigger.net/burp/documentation/desktop/tools/proxy/options/invisible
It was an infinite recursion.
My assumption is that the CVSS score was calculated like this.
I just built a similar setup. I have an offsite server at my brothers house. I set up Nextcloud on the server at my house, using ACME (lets Encrypt), and HAProxy on my pfsense firewall to secure it. I then use rclone with the Nextcloud webdav settings to sync my files to the server at their house, and their files to my mine. nextclouds website has a security scanner you can use to make sure it is a secure connection. I also signed up with a site called https://probely.com/ and they run a monthly scan with report to check for vulnerabilities. It is working great, and it was a fun project.
The IPs now show 404 errors, which makes us think they were using Nginx as a reverse proxy for the real site. A few people found the other IP, which was also taken down.
I am not sure how they found their IP but I found the one I posted by searching the site censys.io for various keywords. You can start with "onion market" but you'll see 100K's of results. Best to start narrowing it down with keywords that are unique to the site.
For Wall Street, I found it by searching for the onion address of their forum: https://www.censys.io/ipv4?q=x7bwsmcore5fmx56
You'll see two results. The 5.x.x.x one is a phishing site. The second one was not.
Use OpenVas. You can schedule scans. It will do everything automatically. Then you will have all the data you need about your security posture. Looking for changes between scans is a manual process. I too would like a way to flag changes from last scan. It's open source so if you come up with something you can share it.with the community.
> What would be the best tool to scan the network to get any info?
nmap plus maybe OpenVAS. On today's networks, that's only going to give you a minority of the story. The good news is that tiny 15-seat organizations generally have very basic systems performing very predictable functions: file, print, email, etc.
> I have very limited information on any switches or the server
Start by looking at them, seeing what manufacturer and model they are, seeing what's plugged in where, what lights are lit, and why.
Very unlikely since OpenVAS switched the knowledgebase backend for openvas-scanner from files to redis in OpenVAS 8 ;-)
Unless you mean the version of the openvas-manager, that is 6.x (but part of OpenVAS 8). Numbering is a bit confusing, but there is a nice overview at http://www.openvas.org/install-source.html
This is how I did it. I apt-get removed the existing installation of OpenVAS and started over. I then installed OpenVAS per their guide http://www.openvas.org/setup-and-start.html
And it runs like a champ. I have also had many many struggles with OpenVAS over the years. If you post some logs/errors I can likely help you out.
Practice locally until you know what you are doing. you shouldn't be running Kali on anything on the internet until you are well versed in a protected environment.
It looks like there is an option for CLI on Open VAS. http://www.openvas.org/src-doc/openvas-cli-1.3.0/index.html
OpenVAS has the omp command-line utility: http://www.openvas.org/omp-5-0.html
We use this to cycle through tasks configured in the GUI. You need the unique task ID to initiate a scan from the command line, e.g.
You can grab the entire task list with:
omp -G
and then feed the task you want to scan to:
omp -S <taskid>
I've been looking at Core Impact, but it's moderately expensive and I've never talked to anyone who's used the software.
I know it's not a substitution for an actual audit team, but it would be cool if you could do your own audits weekly and the big costly audits yearly.
Ultimately, pen testing is just looking for ways of breaking your application through things like exploiting unpatched software or common vulnerabilities like SQL injection.
There are a variety of ways, and with custom software, you often will need to review your code to look for spots to test. For example, maybe you require login to your main application, but your main application makes calls to an AJAX controller, and that AJAX controller isn't secured.
There are a variety of commercial tools out there, but if you're just learning, you might want to start with something free just to get the hang of it before you look at anything commercial and more fully-featured.
I'd recommend starting with Burp community edition:
https://portswigger.net/burp/communitydownload
Basically, Burp implements a proxy that captures you going through all the steps of your application (logging in, hitting every single page, using every feature you have, etc). Once you've gone through all the scenarios, you tell Burp to go ahead and run its test. It will take the information it's captured about each step and basically start pounding those URLs with different, common attacks to see if any of your pages are vulnerable to them (it's usually best to set up a virtual machine with a full COPY of the site, where you do your testing, just in case a successful attack ends up destroying any data by accident).
Yes, the binary is pretty much impossible to work with. As of 2021.8 Burp provides two different text views - there's full documentation here: https://portswigger.net/burp/documentation/desktop/http2
Prior to that, we were basically downgrading and upgrading.
This tool, Burpsuite is one of the industry standards. Check out their documentation on “content discovery” here
As for banning IPs, in today’s age that doesn’t matter too much. I’d consider IPs to be somewhat ephemeral when talking about potentially bad actors. For example, you likely wouldn’t just have a laptop running your attack scripts, but you’d probably spin up tons of virtual servers to execute the code and then get torn down after they’re done. In fact, even that can be automated so each command could come from a different IP.
Easiest way is to isolate device connections to WLAN by removing the SIM-card. Then run burpsuite, add proxy settings to device and see where it connects.
I have no idea what cargo collective is, but it sounds like you need to fix your HTML temporarily on the client-side in order to use the UI and fix it permanently on the server side.
So maybe use a proxy tool to intercept the HTTP response and fix the broken script tag, and then fix it in the UI.
You can probably do this with just developer tools, but if not then you can certainly do it with a proxy tool such as burp which you can get for free: https://portswigger.net/burp/communitydownload
You may be able to do this by configuring the DNS or changing the Host file on the guest machine to redirect hosts that you know the application uses to the Burp proxy. See Burp's write up on invisible proxying https://portswigger.net/burp/documentation/desktop/tools/proxy/options/invisible.
https://portswigger.net/burp/pro/video-tutorials
Here are video tutorials for Burp suite straight from the creators.
I'm assuming you're new to this area. Not to be a dick, but try to Google your problem. Read all the information you can find on a subject/tool, if you're still stuck then I'd recommend asking for help.
Welcome to the community though! Hope you enjoy and learn a lot!
(I'm by no means any type of expert or even knowledgeable. I've used burp suite and semi know my way around. I'm always still learning as well. This field is a never ending classroom with many things to learn!)
I've done something like this with Burp Suite (free version here). It runs a proxy which you route your traffic through. I was using a web app, so I configured my browser to use the proxy, but there's probably some way to have your OS use the proxy system-wide so you can use it with your desktop application.
All these answers are wrong. All you need to do is download the security certificates from port swigger into firefox and install the foxyproxy extension. All your problems will go away after that. All you need to do then is configure foxyproxy to point to localhost + burp suite port. Then it's only a matter of clicking between normal and burp internet in foxyproxy.
https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/certificate/firefox
Looking at your image it's port 443 so that looks like DoH. Considering it's just HTTPS you might be able to proxy it with something like burp proxy and trusting the burp certificate on the machine. You will probably need to do invisible proxy to force the traffic through your burp VM.
Did you import burp's root certificate so that it's trusted as a CA? Essentially, for BURP to work with TLS, it needs to man-in-the-middle your browser traffic and for this to work properly, your browser needs to trust Burp's certificate as a CA cert. https://portswigger.net/burp/documentation/desktop/tools/proxy/options/installing-ca-certificate <-- has more details and instructions.
I'd love to take a look at it but I wont be able to before the 30th of June since I have exams coming up. It might also be interesting to use something like burp to see what kind of information the site expects.
So the guy runs a scan against the NP2 using a very common scanning tool, then chirps about the findings on Twitter? What a lame-o.
The problem with a guy like Zoom flexing his "security researcher" chops, is that you can't really trust anything he says- especially if he is posting it to Twitter for attention. He could be telling the truth 100%... or (more likely) he is inferring half of the information from scan results to sound more impressive. The fact that he is lying about working on the site in the first place (according to Dick), is a red flag right out of the gate.
Either way, quibbling with him about the findings is not a good idea, because it could be used to confirm information that he isn't really sure of.
> You run jquery version X, you're so insecure!
> What are you talking about? I run version Y of jquery.
> Version Y, you say? Interesting...
Lastly, if this guy does "security research" for a living, he is the last person I would hire. Clients don't like it when the people they hire have a history of chirping about their security findings on Twitter for internet points.
TLS(https) sites are going to throw a fit when trying to intercept their communications. You need to install the BurpSuite cert in the browser.
https://portswigger.net/burp/documentation/desktop/tools/proxy/options/installing-ca-certificate
Chrome->Developer Tools->Network
Also check out ZAP(https://owasp.org/www-project-zap/), or BurpSuite(https://portswigger.net/burp) as both of those projects allow you to not only intercept and monitor the communications, but manipulate them in transit as well.
I might be off on this, but I'm thinking of the way burp intercepting proxy does it. Why can't the router do similar? It generates a private key and stores the certificate in a place where you can download it and install it as a trusted root on the devices that need it. Yes, the place to download the certificate is via http so you fall back to trust-on-first-use.
I've heard this through my work actually, since I think there was plans there, to make sure that malware won't slip through secure connections. I think the hardware wasn't cheap either. However, I managed to find more sources about how the intercepting could be done too, with software. Here's one, about Burp (which isn't cheap either): https://portswigger.net/burp/documentation/desktop/tools/proxy/using
Is it for personal use like a single client or is it for a whole office or similar?
If its the former then something like burpsuite is handy. Its included in kali linux among other similar tools:
Or if its for the masses is it a forward proxy (known clients towards unknown servers) or reverse proxy (unknown clients towards known servers) you want to alter the content of?
Because one thing to consider if its the forward approach you will also need to deal with ssl termination and some services have their certs pinned in order to avoid such from happening (as in trying to forward proxy and modify the flows for lets say gmail who got its certs pinned in the browser will fail).
For free, easy to understand, but slightly slow, HackerOne was my first steps with it. One of the guys at their booth at DC26 talked me into checking it out, and it wasn't terrible. Everything else I learned about it has been stack overflow type stuff combined with the documentation and experimenting against sites I set up to hack on my own network
Indeed, it allows for easy plugin integration, you can quickly script something in python for that. Not sure now if the support for python is the pro version only though: https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension
> Sometimes a vulnerability can also be something really innocuous, like checking the result of strpos() with == instead of ===, leading to unexpected behaviour because it can return non-Boolean values that evaluate to false.
Yeah, 100%!
You won't believe the number of things I've found over the last few months just looking for unprivileged ajax hooks that are exploitable. What I think happens is developers put the normal ajax hook in, then it doesn't work as expected, so they hook the function to the unprivileged one as well, and it slips their mind to do all the usual WP privilege checking that they're bypassing by using that hook.
If you're interested in vulnerability research in WordPress plugins/themes, there's tons of low-hanging fruit out there exactly like that (I must've reported at least 5 or 6 in the past month and I've spent very little time looking for them!).
Another fairly common thing I've seen is folks checking non-specific nonces as a form of access control, but then not actually checking the current user's capabilities... so for example if there's an endpoint that's supposed to be admin only, but the only thing it checks is a non-specific nonce, it's fairly easy to subscribe to a site, grab the nonce for changing your user settings, and send that nonce along with the request to the endpoint.
If you're a plugin developer, you need to do one of two things (possibly both) - either point curl at every endpoint and try different combinations and see what's triggered, or download and install Burp Suite (or any other intercepting proxy), and run through some tutorials for it before pointing it at your plugin. It'll really open your eyes - everything that comes from the visitor needs to be checked for sanity and distrusted!
No, you do not require internet to access http://ipaddress/comodore64/index.php
You may need to turn intercept off on burpsuite or manually forward the packet. With intercept on the packet is being held by burpsuite for you to manually verify or edit before sending it. So the session is hanging. That's probably why you having a spinning wheel.
Most likely you mean Burp. Specifically the "replay" tab. You can use Burp as an HTTP proxy and if you want to play with a particular request you can do "rightclick->Send to repeater" and then play with it.
I've answered similar questions in the thread, but for me personally, I was lucky enough to start my career in information security consulting and had some awesome mentors to walk me through the basics and beyond ;). That said, everyone's path is different! If you're passionate and want to learn, Google is your friend, but it helps to know what to search for and where to begin. Information security is a huge field with tons of various focus areas, so I'd recommend starting really broadly with your research then dive deeper on any areas that seem interesting to you. For application security in particular, I'd recommend https://google-gruyere.appspot.com/ as a good starting point for learning the basics. You can also check out https://portswigger.net/burp/download.html or any other web proxy, become familiar with how HTTP requests/responses work, etc.
In general, yes, you'll want both network scanner and web scanner. Nexpose is free for 32 IPs if you have a small net you're concerned about.
Yes, post login scanning is possible, but more difficult. First of all, you need to be careful about what you're scanning: for instance if you scan a "delete users" function without thinking carefully about what it's doing you might have a bad time. ;-)
With burp you can use the built in session handling which is a bit complicated, or manually log in and have the tools set up to use the cookie jar. Most other tools have similar functionality, and the $$$ tools like Appscan and webinspect have easier to use wizards. Acunetix is somewhere in the middle of the cost/ease of use spectrum, and is a pretty good value.
See https://portswigger.net/burp/help/options_sessions.html for some info on this, but there's a lot of quirks to deal with in various appllications, and this is part of where a pro or more expensive tools show their value.
You can practice on test targets like DVWA which have a login to see how it goes in general..
https://portswigger.net/burp/download.html
I loaded 20000 random 72-bit tokens and it estimated 70 bits.
I used the option to base64 decode tokens before analyzing, of course.
I don't know what kind of info your db holds, but if he gave you back anything more than usernames and hashed passwords or you store anything more than that, you need to hire a professional.
That being said, I would take a shot at it with BurpSuite. If you know what you're doing and what to look for, you'll more than likely find a lot of vulnerabilities just using that.
Metasploit, SQLMap, Acunetix and the like are all good things to try turning on your site as well.
Well, it is just the tip of the iceberg. For the past month, I've been reporting malicious NPM packages and versions (due to ATOs) on a daily basis with over 350 in the last 30 days.
I tried to aggregate the data on this incident here (as someone suggested):
https://github.com/faisalman/ua-parser-js/issues/536#issuecomment-949936808
Here's a short writeup I did on that particular case: https://www.whitesourcesoftware.com/resources/blog/popular-javascript-library-ua-parser-js-compromised-via-account-takeover/
I'd ask the projects that you intend to consume the service what they could handle. I've heard that a straight GPL doesn't preclude it being offered as a SaaS for profit, and there are a number of projects that have changed the license because they've been hit with competing companies doing that, and then not putting up the changes they've made because selling a hosted service avoids the requirements that packaging it for download makes necessary. It seems like they move to an AGPL in those cases.
https://www.whitesourcesoftware.com/resources/blog/the-saas-loophole-in-gpl-open-source-licenses/
Zlib uses its own license which is permissive, so there are no pervasive worries there. You can choose most others you might like to use. The Apache 2.0 and MIT licenses are the most popular in open source.
I'm not sure about which license will ensure the product is free - the idea about most of these licenses is not that you can't make money selling code, but rather that the source has to be freely available. In fact, the ability to sell the software is part of the Open Source Definition.
I'm not too good at using docker, but I think you need to expose ports from the container, ports 8096 and 8920 so that they can be accessed outside the container. But I feel that is not the case as you can access it from LAN and all. Another thing is make sure "Remote IP address filter" list under Networking is properly entered, and the mode is set correctly. I would try to open F12 dev tools in the Web browser and see what errors are encountered.
Hope this helps
There are a lot of different rights for software, ranging from "you aren't even allowed to see the code"(copyright) to "do whatever you want with it"(copyleft)
You could grab a copyleft sourcecode and sell it as is. The only restriction of copyleft is that you can't include it in a project that's under a different licencing (this is the case of the GPL licence)
Other open source licences are more permisive and allow to be used on commercial proyects under certain conditions. For instance LGPL allows you to use it in commercial products as long as the code which originally was under LGPL remains under LGPL. The rest can be whatever licence you want.
Licencing is not a task a simple programmer can understand completely. When there's a tool you want to use you need to find out what's it's licence and then google to find out if that licence is compatible the one you intend to use.
This site offers some general description of licences. But keep in mind that licences can change, and they can be customized so whatever you read here is a mere guide. If you project is big you should consult with a lawyer
https://www.whitesourcesoftware.com/resources/blog/open-source-licenses-explained/
Funny names in science are kind of a thing. Sonic the Hedgehog gene is my favorite example.
This happens regularly in computer science as well. GNU = GNU's Not Unix is pretty old.
A lot of famous scientists are creative and have a sense of playfulness.
> And what does the kernel maintenance team would do? They're not security experts
They kind of are. Most of them are employed by large companies to maintain the kernel.
Security audits miss a lot. Microsoft has an internal audit team, yet Windows has a ton of security vulnerabilities that get reported.
The main difference between proprietary code and open source code is that anyone is free to audit (and fix) open source code. Big companies with internal security teams do just that for critical code, and the big takeaways from Heartbleed were were audits and better funding. Companies didn't switch to proprietary code, they instead fund the projects they use better.
> OSS = security
OSS isn't secure by nature, it's merely open so anyone can prove that it's secure. A company's claim to have done a security audit is only as good as the reputation of the security company doing the audit, whereas an audit of an open source project can be reviewed by the community at large. That's what happened with openSSL.
https://www.whitesourcesoftware.com/free-developer-tools/bolt-for-azure-vs-full-solution/ scans your dependencies and check for known vulnerabilities or possible licensing issues. We have it integrated in our build pipelines in Azure DevOps.
Expose your container ports to your linux server. So if you are using grafana container, expose container port 3000 and it will be available at 10.0.0.x:3000, or whatever IP your linux server is on. Never connect to the 172.x.x.x. address. Just expose your ports to the linux server. Use Docker-Compose to spin up your containers and use the ports line to expose.
https://www.whitesourcesoftware.com/free-developer-tools/blog/docker-expose-port/
The policy is to use WhiteSource which flags possible vulnerabilities. It runs as a build pipeline step and it is managed by the CISO team (not the devs!). If we have a true positive we evaluate it, but most likely we don't approve it.
The title is pure clickbait, the article nowhere mentions which these "3 most lest secure programming languages" are.
It simply quotes this report (which they forgot to link): https://www.whitesourcesoftware.com/open-source-vulnerability-management-report
The report was written by a company that sells vulnerability detection software, and naturally they want to make their product look as very necessary.
​
The Techrepublic article does point out that the high amount of vulnerabilities found by the report among programs written in C has to do with the high amount of programs written in C, but doesn't attempt to calculate a ratio like vulnerabilities by line count or similar, so it doesn't really add much to a report that must itself be read with a pinch of skepticism.