Saturday, January 28, 2006

Releasing wschess 1.5

Following changes are included.

+ Few bugs are solved
+ wspawn is now querying Xmethods. UBRs are closed for Microsoft, IBM etc.
+ wsknight has analysis engine in place. You can supply regex patterns and wsaudit will detect them. It will change color of text. Sample rule file is included.

Get it

Thursday, January 26, 2006

Saturday, January 14, 2006

Advanced Web Hacking - Attacks & Defense (Upcoming talk)

Abstract:

Attacks to web application layer are on the rise and innovative methodologies, attack vectors and exploits are coming into existence. To combat these threats it is imperative to understand its nature, characteristics and risk to application layer. Some of the new attack vectors are XPATH injection, LDAP poisoning and advanced SQL injection. These vectors are getting popular with XML based web applications. At the same time new methodologies for web application foot printing and discovery are coming to existence with rich search engine information provided by Google & MSN. These methodologies are important to have as a tool to web security professionals. Open source exploit framework like Metasploit can be used effectively for web application exploit development for penetration testers. This presentation will encompass new methodologies, tools and techniques on both the aspects - attacks & defense.

Thursday, January 12, 2006

Hacking Web Services: Strategies, Tools, and Methods (Upcoming talk)



Date: Tuesday, 4 April 2006
Time: 3:30pm - 5pm
Track: E-Security



Objectives:
1.)Web services as a new area of attack in the Web application domain
2.)A live demo of a Web services assessment methodology
3.)Understanding the Web protocols UDDI, SOAP and WSDL - the latest means of Web services attacks
4.)Leveraging content filtering and secure coding for Web services
5.)Implementing tools and creating your own tool on the fly while performing your work on Web services, e.g. wsChess

Hacking and Securing .NET (Upcoming talk)



Date: Tuesday, 4 April 2006
Time: 8:30am - 10:45am
Track: Platform Security



Objectives:
1.)Understanding the evolution of Web application from CGI scripts to .Net apps and the security concerns along the way
2.).Net Web application hacking methodology and tools required to perform a thorough assessment.
3.).Net and IIS metabase querying and auditing for overall secure deployment of Web application on the framework
4.)HTTP stack intercept on .Net and leveraging it for application security
5.)Building your own HTTPModule and interface to perform content filtering for Web applications

Wednesday, January 11, 2006

MSNPawn - New tool is coded up.

MSNPawn has been designed and developed on the .Net framework and must be installed on the system. The following utilities have been bundled with MSNPawn.

MSNHostFP - Supply an IP Address or IP Address range to fetch all possible virtual hosts or application running on each IP addresses.

MSNDomainFP - Supply a domain name to fetch the top 50 child domains, considering the supplied domain name as parent.

MSNCrossDomainFP - Supply an application domain to fetch the top 50 domains pointing to this particular domain on the Internet.

MSNCrawler - Supply a domain or application name to fetch all possible links crawled by the search engine.

MSNFetch - Supply a domain and rules file. The tool will run each rule in the file against the domain specified and fetch the first five results of the resultant query. This can help in assessing an application.

Search.MSN - Provides place to run your search against MSN and gather all URLs.

Whitepaper is included for better understanding for all these tools.

[Download]

[Download paper]