If you have Firebug installed you will be able to use Technika bookmarklet constructing features. You can use the Firebug console to test the bookmarklet and make sure that it is working. When you are happy with your code you can easily convert it to a bookmarklet by accessing the Technika menu and selecting Build Bookmarklet.You will be asked to select the folder where you want the bookmarklet to be stored.Type the bookmarklet name and press the OK button. If later you want to modify your bookmarklet, you can select the Technika menu and choose the Load Bookmarklet option. Another useful feature of Technika is that you can set your autorunable bookmarklets on different levels and define the order of their execution.This mechanism is very similar to initrd booting mechanism on Unix/Linux. For example, if you want to develop a framework that consists of several bookmarklets, you may need to load the core libraries before the actual user scripts.

Screenshot :

Scan your own page now , here :

http://www.seoegghead.com/tools/scan-for-html-injection.php

The modern browser is designed for speed and efficiency, which means Web application security assessment is a painful task, because probing a Web application requires in-depth analysis. Generally, to test an application, you want to slow down the transmission of data to and from the server to a snail’s pace so you can read and modify the transmitted data; hence the proxy.

In the early days of security, proxies were capable of slowing down the connection in only the outbound direction and as such, a user could only alter the information being transferred to the server; however, that’s only part of the equation when analyzing a Web application. Sometimes it greatly behooves you to be able to modify the incoming data. For example, you might want to modify a cookie so that it doesn’t use HttpOnly, or remove a JavaScript function. Sometimes you just want a bidirectional microscopic view into every request your browser is making. And then there was Burp Proxy.

Burp Proxy is part of a suite of Java tools called Burp Suite that allow for Web application penetration, but for the purposes of this book only one function is particularly useful, and that’s the proxy.To get started, you need the Java run time environment installed, which you can get from Java.com’s Web site. Once that is installed you modify your proxy settings in your browser to use localhost or 127.0.0.1 at port 8080.

Once this is done, you can launch Burp Proxy, which will show you a blank screen.The Intercept and Options windows are the most important ones that we will be focusing on.First let’s configure Burp Proxy to watch both inbound and outbound requests. Under “Options” uncheck resource type restrictions, turn on interception of Server Responses, and uncheck “text” as a content type.This will show you all of the data to and from every server you connect to.

Once this has been configured, you should be able to surf and see any data being transferred to and from the host.This will allow you to both detect the data in transit and modify it as you see fit. Of course any data you modify that is sent to your browser affects you and you alone, however, if it can turn off JavaScript client side protection this can be used to do other nefarious things, like persistent XSS, which would normally not be allowed due to the client side protections in place. Also, in the days of Asynchronous JavaScript and XML (AJAX), this tool can be incredibly powerful to detect and modify data in transit in both directions, while turning off any protection put in place by the client to avoid modification by the browser.

This can also help remove lots of information that would otherwise leak to the target,including cookies, referrers, or other things that are either unnecessary or slow down the exploitation. Another useful feature is the ability to switch into hex mode.This is particularly useful when you are viewing pages in alternate encoding methods, like US-ASCII or UTF-16.

Burp proxy is by far one of the most useful Web application security tools in any manual security assessment. Not only does it help uncover the obvious stuff, but it’s possible to write custom rules if you know what you are looking for. For instance, if you wanted to find only XML files for debugging AJAX applications, a Burp proxy rule can be created to capture just this information.

Ultimately, Burp is only one tool amongst a wide array of others that do parts of what Burp does as well or better, but nothing works in quite the same way or with quite the same power as Burp Suite. Burp Proxy is not for the faint of heart, but once you get accustomed to it, it is a great learning tool for understanding how Hypertext Transfer Protocol (HTTP) actually works under the hood.

People who have been associated with computers for long know about web hosting and the importance of dedicated servers for any domain registration.

Download URL : http://portswigger.net/proxy/

More reviews can be found on thespanner.co.uk , xssworm.blogvis.com , ha.ckers.org .

Wordpress vulnerabilities issue has become really big nowadays. A lot of wordpress blog has been hacked , due to the use of exploitable wordpress plugins. In my past article about wp-scanner , i’ve already explained the ease to maintain the security of your wordpress blog. But apparently , wp-scanner ’s not enough to secure your wordpress. Then , How to Secure Your Wordpress blog ? Wordpress Security Whitepaper is a good start to read on. It explains mostly needs required to secure your wordpress blog. The ease to secure your wordpress blog , now aslo brought to you as Plugins , Which are :

- WPIDS (Wordpress Intrusion Detection System) : This Plugin can be downloaded here , and a full review of WPIDS can be read on TheCredence’s blog and also here. WPIDS ’s purpose is to protect your blog from any WebAttack. All request to your blog will be logged to the database for analysis. WPIDS is aslo featured with Email Notification for the high impact intrusion. WPIDS will also notify you for the latest filter rules available.

- INSPECTOR WORDPRESS PLUGIN : This plugin’s purpose is to log all attempt to your blog which is considered to be hack attempts. Well , there’s nothing much i can tell about this plugin . You’d better read the full review of this plugin here.

The other 10 security realated plugins review can be read here and . Some other tips to protect the wordpress admin directory can be read on askapache’s plugin review. The other useful security tips to harden your wordpress blog can be read on quickonlinetips’s blog.

Screenshot :

It must be pains in the ass when your blog gets hacked repeatedly without knowing the vulnerabilities on your own wordpress blog . I’ve found something interesting here , called wp-scanner . It works this simple :

• install the wp-scanner plugin , activate it.
• Launch Online Wp scanner here.
• After finished scanning , please disable the plugin to prevent someone else scans your wordpress blog.

More details instructions can be officialy found here.

- Technika Security Framework

I found this (unreleased) plugin when i was visiting GNUCITIZEN , and this firefox plugin is created by David Kierznowski , a senior Security Analyst in UK (he’s also the owner of michaeldaw.org). Some kewl features offered by this plugin are:

• tech.dspider – DOM link spider.
• tech.forms – GET/POST form parser.
• tech.mutate – By specifying a payload and regex, we can mutate our target arrays and build tests.
• tech.scan – tech.scan is our actual engine that will handle our GET and POST requests.
• tech.mNikto – Mini-Nikto . We called it mini-nikto as it currently only contains a very small database.
• tech.g – This is one of my favorite tools in the TS framework. It uses the Google AJAX API (JSON) to fetch links and perform other Google hacking queries outside of our current DOM. This is really useful even when it is not security related.
• tech.store – Utilizes the Firefox sessionStorage to allow us to persistently store arrays.

Well , i really don’t have any idea about this plugin actually (coz’ i haven’t tried it out ) . Details can be found here.

- HackBar 1.1.1
HackBar 1.1.1 is Mozilla Firefox plugin created to assist you to do penetration testings against SQL INJECTION and XSS . I’ve tried this plugin by myself , and it’s strongly recommended. Some kewl features of this plugin :

• MySql CHAR() converter
• MsSQL CHAR() converter
• md5 generator
• URL SPLITTER
• BASE64 ENCODE
• BASE64 DECIDE
• URL ENCODE
• URL DECODE

Go try this plugin by yourself , and you’ll find the ease of sql injection / xss pentests . Download Here now! .

usage :

python SQLscan.py -g inurl:’.gov’ 200 -s ‘/index.php?offset=-1/**/UNION/**/SELECT/**/1,2,concat(password)/**/FROM/**/TABLE/*’ -write sql_found.txt -v

It will scan for any site that contains ‘.gov’ in its URLs , and then they’ll be checked by inject a SQL Injection String (you could modify the strings as creative as you can be) , and make sure that your box is installed with python 1st . Writing ccda and mcitp becomes much easier for an mcts if he consults testking material.

To download the script , i’ve made a mirror of it , which is located here :

http://4r13-is-a.lamer.la/scrapts/SQLscan.py

features :

• Code Inclusions
• Code Executions
• SQL-Injections
• Cross Site Scripting
• and more

Before you see the video , you might read this as well. And here is the demo video :

[display_podcast]

or just download here.