SECTORIX

Confessions of a Dangerous Mind

Security

EXIF Cross Site Scripting, PHP Fun

As most security folks know, there are numerous ways to infect computers via infected image files, that contain binary viruses which are read/invoked by different image readers or the libraries that render them. From my perspective, looking into web application security, I had an idea.. Many websites and applications nowadays, look into the picture’s EXIF […]

, , , , , , , ,

CMS Hacking, Risks and Trends.

Yesterday, I presented in Imperva‘s monthly webinar (my employer and source of joy) the results of a trend analysis that i recently completed, which includes the research results in detail. We explored through the trends of CMS adoption in the market, a threat analysis of hackers trends with 3rd party code/software and CMSs specifically, and […]

, , ,

The thing with 0-day Java Vulnerabilities is…

A few days ago, KrebsOnSecurity published a very well written article discussing a new 0-day Java vulnerability, and its effect on the Bit9 Hack. now lets be honest – Java Vulnerabilities are the hottest thing in security news right now.. if a week goes by without a new 0-day, someone is slipping or sleeping. I […]

, , , ,

Tomcat Enumerator (for MSF)

enum_tomcat_screenshot

The Tomcat Enumerator for Metasploit Framework Gave myself a speed-coding challenge. have to introduce fun into coding or I will never do it. so i wanted to create something for the community that will allow fast enumeration of a Tomcat application server via the Metasploit Framework. I set myself for 2 hours this time , […]

,

Database Enumeration Module (for MSF)

enum_db Screenshot

Introducing enum_db for Metasploit Framework Alright, so over the weekend I had time to convert some of my old scripts into ruby, because you have to keep your mind sharp in some way or another … when it occurred to me that I haven’t contributed to any open source project in a long long looooooooong time. so with the […]

,

AppDoS Defined

This morning, an outline article defining AppDoS that I wrote, was published on Imperva’s Blog, have a read would you ? Link here. The article explores the differences between classic Denial of Service, and Application Oriented Denial of Service in a simplified manner.

,

LinkedIn’s No-CSO and my Personal Data.

The one thing that kept me thinking on a flight the other day was the latest new about LinkedIn’s 6.5 million password breach, and the followup lawsuit against it for violating its own privacy user agreement ensuring the security of one’s identity. and not specifically the story itself, but some of the aftermath that came […]

Virtual Gold and Bot Threats

For the past couple of weeks, i have been away visiting Family in a country far far away, with an excellent internet connection and boring midnight hours, when I decided to play some games to help myself go to sleep. now, since this was quite an interest for me, I started looking in different sources […]

, , , ,

Some Hulk Afterthoughts

It was great to see how much attention the Hulk tool got over a short period of time, and even considered a malware by some folks who didnt read the fine print of “educational experiment” labeling. got tons of questions and improvement suggestions while some missed the main idea behind this.. its not meant to avoid a […]

,

HULK, Web Server DoS Tool

Introducing HULK (Http Unbearable Load King). In my line of work, I get to see tons of different nifty hacking tools, and traffic generation tools that are meant to either break and steal information off a system, or exhaust its resource pool, rendering the service dead and putting the system under a denial of service. […]

, , , , ,

Previous Posts