Burp Suite from Portswigger.net is a fantastic web app testing tool that we use regularly at Secure Ideas. Though Burp is very popular in the security industry, there are a lot of features that often get overlooked. One of these features is the “Compare Site Maps” feature. This wizard-based function compares two different site maps of a …
Comparing Authorization Levels with Burp’s Compare Site Map featureRead More »
In July, my daughter, Brenna (11yo) and I presented at the SANS Denver event. She has long wanted to present with me and we both thought this talk was the perfect one to do. In it, we walk through the various privacy concerns mobile applications and devices have. We do this by looking at the …
My Crayons Didn’t Upload My Pictures to the InternetRead More »
I’m extremely excited to announce that I will be speaking at MIRcon2013 on ModSecurity! The presentation’s goal is to help systems administrators, incident responders, and security analysts better manage and run an installation of ModSecurity. Here is the synopsis from the presentation. Any publicly available web server and site is under attack on a regular …
Analyzing Web App Attacks Using ModSecurity at MIRcon 2013Read More »
Secure Ideas recently made the decision to create custom machines that we could use for penetration testing engagements. These machines, called SIAMs, are the Secure Ideas Attack Machines. The machines are custom configured with many different tools that we use during penetration tests and also some of the more common distributions such as Kali Linux, …
This past February, my fellow colleague James Jardine wrote an excellent blog post called “Decoding F5 Cookie” where he described in detail how F5 load balancers use a persistence cookie (called the BigIP cookie) and how to use a standalone script to decode the value exposing the IP and port of a back end resource. …
Pass-the-Hash (PtH) attacks have become probably the most common form of credential attacks used in the hacking community. Especially in Microsoft Windows environments, PtH tools are so popular and easy to use, that many attackers no longer even bother to crack passwords anymore. Why waste the time when an administrator’s hash is just as convenient, …
The below video is an introduction to Burp Suite. This is the first of our videos that will teach people how to use Burp Suite and other tools the same way we do during our penetration tests. In this video we talk about the different tabs and functions available within the professional version of Burp …