Posts

Code review to find vulnerabilities in web applications

Perform source code review to find vulnerabilities in web applications. Reviewing code is probably the best way to find vulnerabilities in a web application. It’s a lot faster than black-box testing, and it helps you learn how to program safely in the future by observing the mistakes of others. If you are interested in open-source software, auditing code is also a great way to get involved in the open-source community and help secure the tools you love. Here are a few tricks I’ve learned along the way to audit source code more effectively. Let me know if you have any additional tips for conducting source code reviews. How to look for bugs There are several ways to go about hunting for vulnerabilities in source code. Depending on how thorough you want to be, here are some approaches that you could take. The “I’ll take what I can get” The “I’ll take what I can get” approach works great if you don’t need extensive test coverage. This could be because you have very limited
1 comment
Read more

SecLists is the security tester's companion.

About SecLists SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed. This project is maintained by  Daniel Miessler ,  Jason Haddix , and  g0tmi1k . Install Zip wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \ && unzip SecList.zip \ && rm -f SecList.zip Git (Small) git clone --depth 1 https://github.com/danielmiessler/SecLists.git Git (Complete) git clone https://github.com/danielmiessler/SecLists.git Kali Linux  ( Tool Page ) apt -y install seclists Similar Projects https://github.com/danielmiessler/SecLists/tree/master/Fuzzing https://github.
Post a Comment
Read more

How to Use OWASP Amass: An Extensive Tutorial

Image
Author:  Nick Gkogkos Source :- dionach. com The OWASP Amass project   (Amass) can help with this to a large extent depending on your requirements. In this blog post, I will aim to demonstrate how one can use Amass to discover majority of an organisation’s externally exposed assets. The focus will be on performing continuous subdomain discovery exercises. I have broken this blog post into different sections to make it easier to get to grips with the various functions of Amass. It should be noted that there may be assets out there that are not mapped to a domain and you will need to employ other techniques to uncover them, such as running network scans over the IP ranges owned by the organisation. Although I will not fully demonstrate how to use all the functions offered by Amass, I am hoping that this blog will cover enough to give you a kick-start in mastering Amass. Why OWASP Amass? A high number of open-source tools and software are available for enumerating subdomains, A
Post a Comment
Read more