With this IFTTT plugin, this blog post will now be sync to this one. http://happypentest.blogspot.hk/
With this IFTTT plugin, this blog post will now be sync to this one. http://happypentest.blogspot.hk/
There are several things we gonna check on building a secure web page. Assumed that the assessment is done on black box. Here we included some steps and procedures for a simple analysis on a web page. The following is from 2010, it take no reference from SANS and OWASP’s checklist, but it contains what comes up my mind at the moment I post.
Imagine when you carry your own notebook to do assessment in different client sites. You would like to run several scripts and have to put different configuration files for different sites. I found its quite useful when you can notify to yourself what IP you current have and change your working directory to certain folder. Here is the script to put in the ~/.profile when you are using a Mac
#Check if I am at office
networksetup -getinfo Wi-Fi| grep -x “Router: 123.123.123.123” > /dev/null && cd /Users/anony/ Documents/work && \
toilet -f mono12 -F metal Office
It works if you are running OS X 10.7.2 with the program ‘toilet’ installed. You can grep one by “sudo port install toilet”.
Here is the result when I am in Office with IP 123.123.123.123
For a penetration test, most checking procedures are standardized and routine. Don’t you ever feel tired by typing nmap, Nessus, or Saint by your own hand? Are you still feeling safe and rational to type ‘CD’ a thousand times to change directory to manage your clients? Even if you upgraded yourself proudly and start using some funny GUI interface from Nexpose or Tenable, you will still suffer from managing them manually. Those automated tools will no longer helpful or customizable when you meet an standard crappy IPS that blocks typical scanning.
Manual assessment is your own value position to distinguish yourself from others in terms of skills, knowledge and speed! But the term “manual” are often over used by companies. It doesn’t mean you have to spend your time and effort to keep typing ls and cd on the keyboards with your bloody hand but your mental power to think of an alternate route to penetrate into the system. Here is a handy script I written for myself to save my time, make a penetration test in a more organized manner and help you focus on a real hacking but not typing.
client my_client_name