"sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. "
For those who are learning web application security testing (or just trying to stay sharp) it's often difficult to find quality websites to test one's skills. There are a few scattered around the Internet (see the link in the notes section below) but it would be nice to have a solid collection of test sites all in one place.
When conducting a pen-test, the process typically starts with the reconnaissance phase, the process of gathering information about your target(s) system, organization or person.
Today, we want to present a tool that can be added to your reconnaissance toolkit.
Welcome to the Penetration Testing Execution Standard homepage. This will be the ultimate home for the penetration testing execution standard.
If you are involved in vulnerability research, reverse engineering or penetration testing, I suggest to try out the Python programming language. It has a rich set of useful libraries and programs. This page lists some of them.
While there is a ton of great data within the GSR 2011 report, for this blog post, I wanted to focus a bit of attention to the web application sections of the report.
"Wouldn’t it be fantastic to be invisible for a day? Walk straight into a bank vault in the morning, be a fly on the wall in the Oval Office for lunch, and spend an evening in your favorite movie star’s house. Well, now you can – with Metasploit!"
"One of my biggest challenges in learning how to pentest was finding systems to test against. I heard that using your neighbors network is “frowned upon”, and hanging out in a Starbucks and pwning your fellow coffee drinkers on the public wifi raises the occasional eyebrow.
So what do I do? Build a test environment. "
"We have done many List’s of before this post. To name a few – List of FREE VPN Providers!, List of Cell Phone Forensic tools! and List of TOP LiveCD’s for Penetration Testers!. But, nothing like the one we are doing today."
"Yesterday I made a tweet stating that pen testing and pen testers are obsolete. Here's what I mean by that.
Originally, pen testing was a simulation of what real attackers would do. Then it became more about validating vuln scan/assessment results. Now its essentially about compliance check boxing. (PCI)"
"The end result was that WAFs do have value when used properly, and may provide value beyond pure security, but aren't a panacea. Since you could say that about the value of a gerbil for defending against APT too, here's a little more detail..."
Click in to find related links.