You can’t go to a security conference nowadays and not hear at least 700 references to Sun Tzu and his writing, The Art of War. And how important and relevant that book is to the world of Information Security. But let’s not limit our focus to the InfoSec guys. Life coaches (whatever they are) are abusing… Continue reading Look too much into the Sun (Tzu) and you will be blinded
Category: Pentest
The revised and compressed OWASP Top 3 Web Application Vulnerabilities
I love Top 10s. They’re everywhere and about everything: Top 10 Fascinating Facts About Neanderthals, Top 10 Crazy Bridal Preparation Customs, Top 10 Alleged Battles Between Humans And Aliens, etc. But my question was always: why 10? Why not 11? Or 9. Or whatever else? I guess 10 sounds more important than 11 or 9. It’s the decimal system, 10… Continue reading The revised and compressed OWASP Top 3 Web Application Vulnerabilities
http vs https performance
A while ago I had a huge argument with a development team regarding the usage of https. Their major concern was that the impact on performance would be so big that their servers wouldn’t be able to handle the load. Their approach was to use https just for the login sequence and plain text communication… Continue reading http vs https performance
Does it pay to be a BlackHat hacker?
Dan VASILE @DefCamp Bucharest 2013
Bug Bounty Programs
Building an InfoSec RedTeam
Building an InfoSec RedTeam from Dan Catalin VASILE
OWASP Romania
If you are an English speaker, well, this is a post announcing and promoting the Romanian Chapter of OWASP. You can join your local chapter or the global effort of OWASP to improve information security. ### OWASP (The Open Web Application Security Project) are acum deschisa o organizatie locala si in Romania. Suntem in cautare de noi… Continue reading OWASP Romania
Techniques to play with custom and encrypted protocols
An interesting presentation from DEFCON20 provided by Elie Bursztein and Patrik Samy called “Fuzzing Online Games” touches areas of application security where traffic analysis is not enough to perform a penetration test. As stated by the authors: “In a nutshell the lack of direct access to the game server and having to deal with clients… Continue reading Techniques to play with custom and encrypted protocols
Check if an email address is valid – the telnet way
You can use telnet to check if an email is valid. You can actually send emails via telnet, but we’ll stick to checking for now. Remember that this is not a string validation but a complete check with the mail server if the user is valid. For this example we will use [email protected].
Attacking the lottery
This is purely a theoretical attack on a lottery system. No magic combinations or generators, no syndicates or reading the stars, just a plain attack on the system. First of all, there are some perquisites. One will need an insider or more in order to carry out the attack, but this should not be a… Continue reading Attacking the lottery