Burp Suite the Must have tool for Pen Testers

BurpSuite’s pretty much the go to tool for web app pentesting, although the licenced version is a must have, the free version equally rocks. Once you’ve bossed it you won’t be able to do without it ;->

Here’s some handy tips & tricks, although some info’s dated it’s still very relevant…

Burp Suite Pro Real-life tips & tricks

Pentesting With Burp Suite

Introducing FuzzDB

Web App Defaults URL list

Let e know your thoughts on the usability of Burp Suite and if we need to do a redesign of this tool? Or if you prefer other tools over Burp Suite like OWASP ZAP

Single Page Application Security

Due to the massive change over the last few years for java script frameworks and the upcoming prominence of Node.js I thought I’d share some of these talks around Angular, Ember, React, Mustache, node and more…..

Getting Single Page Application Security Right

Security Around Single Page Apps

Slides For Securing Single Page Apps

Security Testing AngularJS Part 1 – WTF Is It, Why Should I Care And How Do I Know I’m Testing It?

Security Testing Angular

OWASP Top 10 for AngularJS Applications

Top Ten Vulnerabilities For Angular

Wiki dedicated to JavaScript MVC security pitfalls

MVC Security Pitfalls

Node.js Security Checklist

Node.js Security Pitfalls

Pentesting JavaScript Frameworks

When HTML5 made its debut dynamic html and rich content was all the rave (i.e. ajax, flash, silverlight, dom, etc.). That was until Single Page Applications (MVC) rocked the boat – presentation logic is handled client-side (Javascript driven templates). So, with that in mind, as a pentester you need to familiarise with these frameworks (i.e. Angular, Ember, React, etc.) and pay careful attention to client-server logic interactions (i.e. RESTful APIs, etc.). Don’t assume common vulnerabilities can be exploited in the usual way (i.e. XSS, CSRF, etc.). General scanning tools are not going to come to your rescue….

Getting Single Page Application Security Right

Single Page Security PDF

Single Page Security Video

Wiki dedicated to JavaScript MVC security pitfalls

JavaScript Security Wiki

MS Word and Adobe Security Exploits

What We’re Sharing in our MS Office and Adobe Documents

Whats in my word document?

Microsoft Word documents are notorious for containing private information in file headers which people would sometimes rather not share. The British government of Tony Blair just learned this lesson the hard way. Back in February 2003, 10 Downing Street published a dossier on Iraq’s security and intelligence organizations. This dossier was cited by Colin Powell in his address to the United Nations the same month. Dr. Glen Rangwala, a lecturer in politics at Cambridge University, quickly discovered that much of the material in the dossier was actually plagiarized from a U.S. researcher on Iraq.

Microsoft Word bytes Tony Blair in the butt

Politicians and Security

The FOCA is a network infrastructure mapping tool that can be used for OSINT. It can analyze metadata from various files, including doc, pdf and ppt files. FOCA can also enumerate users, folders, emails, software used, operating system, and other useful information.

Find Documents With Foca

Single Page Applications

Due to the massive change over the last few years for java script frameworks and the upcoming prominence of Node.js I thought I’d share some of these talks around Angular, Ember, React, Mustache, node and more…..

Getting Single Page Application Security Right

Security Around Single Page Apps

Slides For Securing Single Page Apps

Security Testing AngularJS Part 1 – WTF Is It, Why Should I Care And How Do I Know I’m Testing It?

Security Testing Angular

OWASP Top 10 for AngularJS Applications

Top Ten Vulnerabilities For Angular

Wiki dedicated to JavaScript MVC security pitfalls

MVC Security Pitfalls

Node.js Security Checklist

Node.js Security Pitfalls