a4apphack

Today I received a mail from the sender ‘India Tax Departament’ that I am yet to receive the tax refund amount. Since I received this in my gmail id, the images weren’t displayed by default. The first this I did was to check the sender email id and it was from ‘wnrlky@aol.com‘. I can assume that this id has been long used for phishing attacks (the id resembles ‘winnerlucky’).

India Income Tax Phishing Mail

Then I enabled the images to check whether he had embedded any government emblems. But to my surprise it was written ‘Australian Government’ . May be this was not targeted to Indians first. After understanding that this is a fraud mail, I wanted to read the entire mail and find out the URL under interest.

Web AppSec Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases. This helps you to organize the flow of your testing process and also to ensure that none of the test cases are missed out.

WebApp Sec Checklist

This checklist is completely based on OWASP Testing Guide v 3. The OWASP Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application and web service security issues.

Odosketch is an online sketchpad and does not have too many things which clutters your work area. But you have enough to create a mindblowing work of art.

Using Odosketch cant be easier. Just select the crayon type and color you want and start sketching. Once done, it can be saved and shared with other odosketch artists. The saved sketch can be retrieved from our profile later on for further enhancement.

Mozilla Firefox considerably a fast browser but the more we use it the more slower it will become, this includes a great reduction in the start time. The reason is fragmentation of profile databases. A free tool SpeedyFox is designed specially to resolve that problem.

Using Speedyfox is easy.

1. Download SpeedyFox
2. Run the program and click on ‘Speed Up My Firefox’ button, thats it!

TIP! : For Portable Firefox Users

1. Choose Custom from the Profile dropdown.
2. Browse to ‘PortableFirefox\Data\profiledir’ on your portable drive
3. Now Click on the ‘Speed Up My Firefox’ button

Download SpeedyFox :

Go To SpeedyFox Homepage

3D TraceRoute is an all-in-one networking tool which has traceroute, whois, ping, nslookup, server header analyser, portscanner, telnet client and hell lot of tools coupled together in a single package.

This is a free portable tool and can run on almost any Windows operating systems (Pro commercial version with enhanced is also available)

Here I’ve documented few of the main features of the free version of this tool; download and experiment with 3D traceroute to get the complete picture of it.

Note: This article is targeted for the readers who have basic understanding or experience with using various networking tools.

Google Gears provides enhanced interactive functionality for websites designed to use it: drag-and-drop, client-side database storage, and the ability to view and work with specially prepared websites when offline (not connected to the Internet).

Now-a-days most of the feature rich sites interact with the Gears installed in the PC and makes our browsing experience better. But what if we frequently switch our PCs and use portable version of Firefox! what if we dont have admin privileges in the PC we are currently working with? Gears Portable Addon can save our day.

In this part of SecFox series, detection of XSS vulnerabilities with FireFox is explained. Here, we talk about XSSMe addon which can be is used to automate the tests for XSS thereby saving our precious time.

“The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system” – Security Compass

In the previous post, Secfox Part 1, we had seen how to customize the environment in FireFox to get better ease of use and more workspace. Now its time to fill in the addons.

This post has two sections, the first explains how to obtain details of any website (Information Gathering) and the second deals with analysis and understanding of HTTP raw header information.

SecFox is nothing but a customized version of Firefox which is intended for performing web application security tests and audits. Using SecFox reduces time and effort we would have put if we had used any other browser along with tons of free + commercial tools used for testing the apps.

Firefox is an amazing browser whose features can be extended by installing addons or tweaking the browser itself. This feature of it is utilized to the max for building a powerful hacking/testing tool, SecFox.

This articles(split into sections) details the process of creating SecFox and also includes the usage of various security related firefox addons with relevant examples and screencasts.