Often in pentest/CTF, using Burp repeater/intruder is not enough to test certain vulnerabilities (second order SQL injection, padding oracle, etc). The most flexible method is always to build a small script to reproduce the original request(s) and add what is specific to the problem.
Thursday, December 5, 2013
Sunday, November 3, 2013
Zed Attack Proxy development tips
Following the previous post about the ZAP plugin, I will now present few tips I came across while extending the tool.
Saturday, November 2, 2013
JavaScript static analysis meets your HTTP proxy
I recently use Zed Attack Proxy (ZAP) for the first time. While using the tool, I notice ZAP had passive scanning capabilities. With few examples (built-in passive rules), I started to build a plugin that scan JavaScript for both ZAP and Burp Pro.
Thursday, August 22, 2013
ESAPI : When authenticated encryption goes wrong (CVE-2013-5960 / CVE-2013-5979)
(Note: This post was revert to draft until 3rd september to avoid unnecessary pressure on the ESAPI developpers.)
ESAPI is a community project part of OWASP. The project scope is kind of wide. It include functionality for authentication, validation, encoding/escaping, cryptography, etc.
I had to analyze the use of ESAPI cryptography component for my organisation. This post will detail the discovery of a vulnerability in the symmetric encryption API. Keep in mind that the observations refer to the Java implementation specifically.
ESAPI is a community project part of OWASP. The project scope is kind of wide. It include functionality for authentication, validation, encoding/escaping, cryptography, etc.I had to analyze the use of ESAPI cryptography component for my organisation. This post will detail the discovery of a vulnerability in the symmetric encryption API. Keep in mind that the observations refer to the Java implementation specifically.