security (16)

Anonymous web server

If you had a mind to use an anonymous web server, then I2P is worth a look. And offer a lot more besides, covering – anonymous web browsing, web hosting, chat, file sharing, e-mail, blogging and content syndication, newsgroups, as well as several other applications under development.

  • Web browsing: using any existing browser that supports using a proxy.
  • Chat: IRC, Jabber, I2P-Messenger.
  • File sharing: I2PSnark, Robert, iMule, I2Phex, PyBit, I2P-bt and others.
  • E-mail: susimail and I2P-Bote.
  • Blog: using e.g. the pebble plugin or the distributed blogging software Syndie.
  • Distributed Data Store: Save your data redundantly in the Tahoe-LAFS cloud over I2P.
  • Newsgroups: using any newsgroup reader that supports using a proxy.

i2p screenshotOnce installed on your PC for testing, you just have to files under ~/.i2p/eepsite/docroot/ (Linux) or %APPDATA%I2Peepsitedocroot (Windows) and they’ll be reachable by others once you follow the instructions below on the Help page (just click Help from the control panel, once you have installed and started up I2P).

SQL Injection Tools – SQLmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


VS2010 – Automated Testing Cookie Management

One of the values of automated testing is being able to run a set of tests as part of a suite or load. However, if you have sensibly built in some good protection using MVC anti-forgery or SAML tokens, then there is strong possibility tests can fail due to security functionality disallowing tests run too rapidly.

C# Security Testing

White-Box testing is testing the system based on the internal perspective of the system.In this case, this is also known as Static Analysis. These tools can find issues with the source code before the code is actually executed.

Zed Attack Proxy (ZAP) – The short guide

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

  1. Download Zed Attack Proxy (ZAP), and install
  2. Run Zed Attack Proxy (ZAP)
  3. Go to Tools -> Options -> Connections, and set proxy settings to match your browser proxy settings (and proxy exclusions)
  4. Go to Tools -> Options -> Local proxy and enter localhost (port: 85),
  5. In your browser of choice, set proxy in LAN settings to localhost (port: 85), and clear the proxy exclusions list.
  6. Access a test site URL to verify settings all applied correctly (The Zed Attack Proxy “Sites” window should populate with all URL’s visited)
  7. If the site requires Authentication, go to Tools -> Options -> Authentication, and add details in the table.
  8. Run Active Scan on root URL (Click Active Scan tab, and select URL from dropdown if not already selected).
  9. Click Report -> Generate HTML report, to view issues found.
  10. Run Spider test, which will pick up on 404 errors, missing URL references, and help you identify redundant file calls.