Archive for September, 2006
JSEScanner – JavaScript Port Scanner
Update: Removed JavaScript Example
Update: Removed tables due to cross browser issues.
JavaScript External File Scanner (JSEScanner)
Author: david.kierznowski_at_gmail.com
http://michaeldaw.org
JSEScanner is a simple idea:
1. Use uses <script src=””> to request a JavaScript file.
2. Use typeof to verify its existence.
3. Use result in fingerprint.
This technique can be used to enumerate internal web servers and/or applications via a clients browser. It [...]
Log 1.0 – Lost outside
A shiver ran down my spine as Cole’s shadow faded back into the compound.
“Okay, this could be worse,” I muttered. Standing quickly, determined to find an exit, I began my mission of circling the building. I put my left arm out with my fingers extended, so that my fingertips brushed along the side of the [...]
ASP Auditor Updated (v2.1B)
ASP Auditor v2.1B is now available. Changelog below:
Changelog:
–v2.1– 25/Sep/06
* GET /Trace.axd often leaks ASP.NET version when other methods fail. AA now catches
the ADN Version if it is available.
* Fixed “?” bug in JavaScript Validate test
* Added Version into usage()
–v2.0– 16/Sep/06
* Version plugin [...]
OWASP Top 10 – Room for Improvement
“The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.†– quote from OWASP Top Ten.
I did a brief search on Google and did not see any obvious objections or flames with regards to the OWASP Top Ten. The industry as a whole seems to be adopting [...]
Targeted Web Attacks
Targeted Web Attacks
Part 2 of Social Networks the New Fingerd
Author david.kierznowski_at_gmail.com
http://michaeldaw.org
1. Introduction
I recently released an article titled, “Social networks the New FingerD”. This article gave an example of using LinkedIn in passive username enumeration attacks. This article will discuss using Search engines and OpenPGP key servers as additional enumeration resources. None of these ideas are [...]
