Archive for the ‘tools’ Category

playing with a backdoor

I played last night with a backdoor shell that I found on the net and will show you how this works and how you can find traces if you are the system administrator.

I used 2 vm’s (virtual machines), both based on Debian/Linux one called “victim” it simulates the cracked server where the backdoor runs and the other box called “hacky” where the bad guy is sitting in front :)

The first step of the bad guy is to start a server that listens on some port (12345) on his box, a good program for this is netcat, the command could be something like: netcat -l -p 12345

Continue reading

hide your JavaScript

If there is a reason why you don’t want humans to read your JavaScript code, you can use the packer from
http://dean.edwards.name/packer/ to obfuscated it (online).

The packer compress the code to one line, deletes all comments and has the option to encode it with Base62. You can put the generated code in your code, it should work with any browser.
You must correctly terminate all JavaScript statements with semi-colons.

Here an example script and the output from the packer:
Continue reading

Spam protection with Akismet

Akismet, or Automattic Kismet, is a text spam filtering service created by Automattic, the corporation which employs most of the main developers of WordPress.

When a new comment is posted on your site, Akismet webs service catches the comment and tests whether a comment is valued as “spam” or “not spam”. Continue reading

Automated testing with Selenium IDE

Automated testing is an extremely useful bug-killing tool for the modern Web developer and a lot of vulnerability in fact are based on bugs.
With Selenium IDE, a free Firefox extension, you can easily record your clicks and inputs in the browser, set tests and replay the records. If a test failed you get a feedback.

I’ll show you an example, to make the power of Selenium clearer.
Continue reading

Stop Spam with reCAPTCHA

CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) can protect you and your users from spammers and crackers.
Broadly spoken, user don’t like this ugly looking pictures and I saw a lot of false implemented code or very easy to crack. To see some examples which CAPTCHAs can be broken you should check out http://sam.zoy.org/pwntcha/

An easy to implement, free and I guess secure service can be found on recaptcha.org and you help by digitizing books.

Continue reading

Pixy: XSS and SQLI Scanner for PHP Programs

Pixy is a free Java program that performs automatic scans of PHP 4 source code, aimed at the detection of Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

There is also a easy to use webinterface where you can upload your files or paste the code to analyse it.

http://pixybox.seclab.tuwien.ac.at/pixy/webinterface.php