background preloader

Pentest

Facebook Twitter

Hackazon – Un site à installer en local pour vous former au pentest « Si vous voulez vous faire la main en pentest, voici Hackazon, un site de test gratuit à télécharger et à installer sur votre machine.

Hackazon – Un site à installer en local pour vous former au pentest «

Ce site, proposé par Rapid7, utilise des technos web actuelles (JSON, XML, GwT, AMF, AJAX, API REST…etc.) et contient des vulnérabilités de type injection SQL, XSS, CSRF…etc. qu’il vous faudra débusquer. Génial si vous voulez vous mettre au bug bounty mais que vous voulez vous entrainer un peu avant. Notez que vous pouvez configurer le site pour spécifier le périmètre des failles à tester. Sandcat Browser - Le navigateur spécial pentests. Sandcat Browser – Le navigateur spécial pentests Si vous faites un peu de pentest de sites et que vous souhaitez vous améliorer un peu la vie, il existe un navigateur basé sur Chromium baptisé Sandcat qui est dédié entièrement à cette activité.

Sandcat Browser - Le navigateur spécial pentests

Sandcat intègre un outil de visualisation, de filtrage et de modifications en live des requêtes HTTP, un visualisateur de Cookies, une extension pour exécuter facilement du JavaScript local, une console Ruby, un bouton TOR, un éditeur de XHR (XMLHttpRequest) et surtout un moteur Lua qui permet de lancer vos propres scripts développés dans ce langage. Sur le site de Sandcat, vous trouverez la doc mais aussi des bibliothèques et des packs d'extensions supplémentaires en Lua à importer comme QuickInject Toolkit qui permet de faire mumuse avec des injections SQL, RFI, XSS...etc. Notez qu'en plus d'être sous licence BSD, Sandcat (qui je le rappelle utilise Chromium) a été nettoyé de tous les trackers de Google. Vous pouvez télécharger SandCat ici.

Rapid7/hackazon: A modern vulnerable web app. Burp Suite Scanner. OWASP Zed Attack Proxy Project (ZAP) OWASP Zed Attack Proxy Project. Involvement in the development of ZAP is actively encouraged!

OWASP Zed Attack Proxy Project

You do not have to be a security expert in order to contribute. Some of the ways you can help: Feature Requests Please raise new feature requests as enhancement requests here: If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly. Feedback Please use the zaproxy-users Google Group for feedback: What do like? Log issues Have you had a problem using ZAP? If so and its not already been logged then please report it Localization Are you fluent in another language? Sqlmap: automatic SQL injection and database takeover tool. Kgretzky/evilginx2: Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.

We Speak Your Language - WhiteSource. Open Source Security - Find, Fix and Automate. Due to the extensive amount of data held by the open source community, and because of open source’s decentralized nature with vulnerability data spread out across multiple databases and security advisories, it is a nearly impossible mission to manually manage all aspects of open source security at scale.

Open Source Security - Find, Fix and Automate

Only an automated solution can ensure secure open source usage. Enforce Policies Automatically Throughout the SDLC WhiteSource enables you to automatically enforce your security, quality and license compliance policies to block vulnerable or problematic components and get full control over your open source usage. Setting up automated policies can reduce the number of new components you must manually review by 75-90%, thereby speeding up you software development process and freeing your developers to focus on building great products.

Shift Left & Shift Right Your Open Source Security To properly tackle open source security, you must combine shift left and shift right methodologies. Open Source Security - Find, Fix and Automate. Is your website vulnerable to hacks? ™ - La société de Cyber Exposure. Penetration Testing Tools. Root@kali:~# nikto -Display 1234EP -o report.html -Format htm -Tuning 123bde -host 192.168.0.102 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.0.102 + Target Hostname: 192.168.0.102 + Target Port: 80 + Start Time: 2018-03-23 10:49:04 (GMT0) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Server leaks inodes via ETags, header found with file /, inode: 287, size: 11832, mtime: Fri Feb 2 15:27:56 2018 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined.

Penetration Testing Tools

Vectra Networks - Exclusive Networks - France. Vectra - AI-driven threat detection and response platform. Kali Linux - Website Penetration Testing - Tutorialspoint. Advertisements In this chapter, we will learn about website penetration testing offered by Kali Linux.

Kali Linux - Website Penetration Testing - Tutorialspoint

Vega Usage Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Step 1 − To open Vega go to Applications → 03-Web Application Analysis → Vega Step 2 − If you don’t see an application in the path, type the following command. Step 3 − To start a scan, click “+” sign. Step 4 − Enter the webpage URL that will be scanned.

Step 5 − Check all the boxes of the modules you want to be controlled. Step 6 − Click “Next” again in the following screenshot. Step 7 − Click “Finish”. Step 8 − If the following table pops up, click “Yes”. w3af. Mozilla Observatory.