Security Testing
Webapplication Security Testing
Free Guide:Cross-Site Scripting
Cross-Site Scripting (also known as XSS) is one of the most common application-layer web attacks. XSS vulnerabilities target scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat which is brought about by the internet security weaknesses of client-side scripting languages such as HTML and JavaScript. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user.
Categories: Internet Security, Security Testing Tags: cross site scripting, Free Guide, Internet Security, testing
Free Guide:SQL Injection
SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database. SQL Injection attacks can occur when a web application utilizes user-supplied data without proper validation or encoding as part of a command or query. The specially crafted user data tricks the application into executing unintended commands or changing data.
Categories: Internet Security, Security Testing Tags: Free Guide, Internet Security, SQL Injection, testing
Free Guide:Cross-Site Request Forgery Guide
Cross-Site Request Forgery (CSRF) is a malicious attack that tricks the user’s Web browser to perform undesired actions so that they appear as if an authorized user is performing those actions. For example, if an attacker is able to modify the content viewed by user’s browser, perhaps with a hostile Web site, when the user is checking an online bank account, the attacker can change the user’s transaction password to control the user’s actions and transfer funds to the attacker’s account.
Categories: Internet Security, Security Testing Tags: Cross-Site Request Forgery, Free Guide, Internet Security, testing
Free Guide:LDAP Injection
Lightweight Directory Access Protocol (LDAP) Injection LDAP is a widely used open-standard protocol for both querying and manipulating information directories. The LDAP protocol runs over Internet transport protocols, such as TCP. Web applications may use user-supplied input to create custom LDAP statements for dynamic web page requests. LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially harmful characters from the request.
Categories: Internet Security, Security Testing Tags: Free Guide, Internet Security, LDAP, LDAP Injection, testing
Free Guide:Mobile Code Security
Introduction to Mobile Code Security Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication functionality which makes the mobile application and mobile code security risks different from the top traditional computing risks.
Categories: Internet Security, Security Testing Tags: Free Guide, Internet Security, Mobile Code Security, testing
DOM Snitch passive in-the-browser reconnaissance tool
DOM Snitch is an experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. Key features: Real-time: Developers and testers can observe DOM modifications as they happen inside the browser without the need to step through JavaScript code with a debugger or pause the execution of their application. Easy to use: With built-in security heuristics and nested view, both advanced and less experienced developers and testers can quickly spot areas of the application being tested that need more attention.
Categories: Internet Security, Security Testing Tags: chrome security, DOM Snitch
Automated vs. manual security
In this video from OWASP AppSec Research 2010, David Byrne and Charles Henderson from Trustwave talk about automated vs. manual security.
Categories: Internet Security, Security Testing Tags: Automated vs. manual security
FREE course Hacking & Password Breaking
Data64 Techno Solutions Pvt Ltd is an innovative educational organisation that develops, evaluates and disseminates programs that foster intellectual development and career enhancement. Data 64 is a registered company headquartered in Pune – the education capital of India.
Categories: Internet Security, Security Testing Tags: Free security testing course, Hacking & Security, Password Breaking
Google Webapplication Security Scanner
Google released Skipfish, a free fully automated, active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Categories: Automation, Internet Security, Security Testing Tags: google security scanners, Skipfish
