Gündem →
December 15th, 2009 by admin
Security → ISO 27001 Bilgi Güvenliği Yönetim Sistemi
December 13th, 2009 by admin
Bilgi, kuruluşunuzun faaliyetleri ve belki devamı için büyük bir önem taşır. ISO/IEC 27001 Belgesi değerli bilgi varlıklarınızı yönetmenize ve korumanıza yardımcı olur. ISO/IEC 27001, Bilgi Güvenliği Yönetimi Sistemi (ISMS) gereksinimlerini tanımlayan tek uluslararası denetlenebilir standarttır. Yeterli ve orantılı güvenlik denetimleri seçilmesini sağlamak için tasarlanmıştır.
Bu, bilgi varlıklarınızı korumanıza ve ilgili taraflara, özellikle de müşterilerinize güven vermenize yardımcı olur. Bu standart, Bilgi Güvenliği Yönetimi Sisteminizi oluşturmak, uygulamak, işletmek, izlemek, incelemek, sürdürmek ve geliştirmek için süreç yaklaşımını benimser.
ISO 27001 Kimi ilgilendirir?
ISO/IEC 27001, dünyanın hangi Ülkesinden veya hangi sektörden olursa olsun büyük küçük tüm kuruluşlara uygundur. Bu standart, finans, sağlık, kamu ve BT sektörleri gibi bilginin korunmasının büyük öneme sahip olduğu alanlarda özellikle gereklidir. ISO/IEC 27001, BT taşeron şirketleri gibi bilgiyi başkaları adına yöneten kuruluşlar için de oldukça önemlidir. Bu sistem müşterilere bilgilerinin koruma altında olduğu güvencesini vermek için kullanılabilir.
Bilgi Güvenliği Yönetimi Sisteminizin ISO/IEC 27001 ile belgelenmesinin kuruluşunuza şöyle yararları olur:
•İç denetimlerinizin bağımsız bir şekilde sağlandığını gösterir, kurumsal yönetişim ve iş devamlılığı gereksinimlerini karşılar
•Geçerli yasa ve düzenlemelere uygun davranıldığını bağımsız bir şekilde gösterir
•Sözleşmeden doğan gereklilikleri karşılayarak ve müşterilerinize bilgilerinin güvenliğine gösterdiğiniz özeni ispat ederek bir rekabet avantajı sağlar
•Bilgi güvenliği işlemleriniz, prosedürleriniz ve belgeleriniz biçimlendirilirken kurumsal risklerinizin gerektiği gibi tanımlandığını, değerlendirildiğini ve yönetildiğini bağımsız bir şekilde doğrular
•Üst yönetiminizin bilgilerinin güvenliğine olan taahhüdünü kanıtlar
•Düzenli değerlendirme işlemi performansınızı sürekli izlemenize ve geliştirmenize yardımcı olur
Kaynak: http://www.isoegitim.com
Web → Made in Turkey projects
November 29th, 2009 by admin
Son günlerde özellikle bilişim alanında bazı teknolojilerin Türk’ler tarafından da yapılması konusu sıkça gündeme geliyor. Türkçe arama motoru, Türk Linux dağıtımı gibi… Ortaya çıkan sonuca baktığımızdaysa genelde “çakma” arama moturu, “çakma” linux dağıtımı gibi ürünler görmekteyiz. Bilişim alanında teknoloji geliştirmeyi millileştirme konusu, insanlarımıza çekici geldiği için olsa gerek sürekli gündemimize getiriyorlar. Teknolojiyi millileştirme çabası güzel, çekici ve güncel bir konu olsa da bu projelerin başarılı olması çok zor görünüyor.
Aslında konu teknoloji olduğunda bu işler farklı şekilde yürüyor. Gündelik yaşamımızın parçası olan bir çok teknoloji ürünü başkaları tarafından keşvedilmişse de bizlerde katkıda bulunarak geliştirebiliyoruz. Yazılım alanında da durum farklı değil aslında. Türk’ler bir çok projede önemli katkılarını zaten gerçekleştiriyor. Başarılı projelerin global hedeflerle “milli” olma çabası içinde olmadıkları ortadayken; bizdeki bu milli çabaların, aslında “çakma” ürünlerle kişilerin ticari çıkarlarına hizmet eden, reklam kokan hareketler olduğu gerçeğini görmenizi istiyorum.
Türkiye’de yaşayan geliştiricler de elbette projeler üretmeli, benim takıldığım konu “milli” olma vurgusu yapılan projelerin aslında özgün olmaması ve bilimselliğinin ötesindeki ticari yaklaşımlar. Özellikle devlet tarafından itelenen projeleri bu çerçevede düşünmenizi istiyorum.
Python → Python Parse Örneği (Düzenli İfadeler, MySQL)
October 30th, 2009 by admin
# Bu program Ali Okan YÜKSEL tarafından kodlanmıştır. Öneri, görüş ve sorularınız için aokany@gmail.com adresine yazabilirsiniz. import re import MySQLdb db=MySQLdb.Connection(host="localhost",user="root",passwd="",db="deucbs") cursor=db.cursor() cursor = db.cursor() p1 = re.compile('.*<font face="Times" size="2">|<font size="2" face="Times">.*') p2 = re.compile('.*<b>(.+)<\/b>.*') p3 = re.compile('<div.*left:(.+)px;">(.+)</div>.*') p4 = re.compile('.*<hr>.*') fileIN = open( "kamyoncular/izmirkamyoncular_Part1.htm", "r") line = fileIN.readline() text = "" yaz = "" sonraki = 0 linenum = 0 myline ="" while line: line = fileIN.readline() if p1.match(line): sonraki = '1' yaz = '1' print """ """ linenum = linenum+1 if sonraki == '1': if p2.match(line): text += """ </tr> <tr> """ sonraki = '0' print """ > """+p2.match(line).group(1)+""" """ if yaz == '1': if p3.match(line): if p4.match(line)==None: lineid = p3.match(line).group(1).replace(' ','') if(lineid!=""): #print lineid + "==>" + p3.match(line).group(2) #if lineid == "963": deger = p3.match(line).group(2) if deger[0:3]!="<b>": # strSQL = "INSERT INTO `veri` (`dosya`, `satir`, `sirano`, `kolon`, `veri`, `ex`) VALUES('izmirkamyoncular_Part1.htm', '"+ str(linenum) +"', '0', '" + lineid+ "', '" + deger + "', '0')" # print strSQL+"""""" # cursor.execute (strSQL) print lineid + "==>" + p3.match(line).group(2) fileIN.close() print myline text = """<table> <tr> """ + text + """ </tr></table>""" #log_file = open("converted_1.htm", "w") #log_file.write(text) #log_file.close()
PHP, Web → This is the demo version of CKFinder. Click here to visit our web site.
October 19th, 2009 by admin
CKFinder kullanıyorsanız ve bu ifade;
ckfinder/core/js dizininde yer alan ckfinder_gecko.js ckfinder_ie.js dosyasını düzenlemeniz gerekiyor. Kullandığım sürüm: CKFinder 1.4.1.1
qo+=’\75\x27\x3C\144\x69\166\x20\163\x74\x79\x6C\145\75\x22\x74\145\170\x74\55\x61\154\151\x67\156\x3A\40\143\145\156\x74\x65\x72\73\40\146\157\x6E\x74\x2D\x73\151\172\x65\x3A\x20\61\x36\160\170\x3B\x20\143\x6F\154\157\162\x3A\x20\x52\x65\x64\x3B\40\x70\141\x64\x64\x69\156\147\72\40\61\60\160\x78\73\40\x66\x6F\156\x74\x2D\x77\145\151\147\x68\164\x3A\40\142\157\x6C\x64\x22\76\x54\150\x69\163\x20\x69\x73\40\x74\150\145\x20\144\145\x6D\157\40\166\145\x72\163\x69\x6F\x6E\40\x6F\146\40\103\113\106\151\x6E\x64\145\x72\x2E\40\74\x61\x20\x68\162\145\x66\x3D\x22\x68\x74\164\x70\72\x2F\57\x77\167\x77\56\143\153\x66\x69\156\x64\x65\x72\56\x63\x6F\155\42\40\164\141\162\x67\x65\164\x3D\42\x5F\x62\x6C\x61\156\x6B\x22\40\163\164\171\x6C\145\75\42\x63\x6F\x6C\x6F\x72\72\40\102\154\x75\x65\42\x3E\103\x6C\151\143\x6B\x20\150\145\162\145\40\x74\157\40\x76\x69\x73\x69\x74\x20\x6F\165\162\x20\x77\x65\x62\40\163\151\164\145\74\57\141\76\x2E\40\x3C\151\x6E\160\x75\x74\40\x74\x79\160\x65\x3D\x22\142\x75\x74\x74\x6F\x6E\42\40\x76\141\154\x75\145\x3D\x22\x48\151\x64\145\x20\x4D\x65\x73\x73\x61\147\x65\x22\40\157\x6E\143\x6C\x69\x63\x6B\x3D\42\164\150\151\x73\56\160\x61\x72\145\x6E\164\x4E\157\144\145\x2E\x70\x61\162\x65\x6E\x74\x4E\x6F\x64\x65\56\x73\x74\x79\154\145\x2E\x64\x69\163\160\x6C\x61\x79\75\134\x27\156\157\156\x65\134\x27\73\x22\x20\x2F\x3E\74\x2F\144\x69\166\76\x27\73′;
ckfinder_gecko.js ckfinder_gecko.js_ ckfinder_ie.js
Linux → Ubuntu 9.04 xmms kurulumu
October 11th, 2009 by admin
source.list dosyasını düzenleyerek aşağıda yer alan ilgili satırları ekliyoruz:
sudo gedit /etc/apt/sources.list
seçiminize göre aşağıdaki satırları ekleyerek dosyayı kaydediyoruz.
ubuntu 9.04:
deb http://www.pvv.ntnu.no/~knuta/xmms/jaunty ./ deb-src http://www.pvv.ntnu.no/~knuta/xmms/jaunty ./
ubuntu 8.04:
deb http://www.pvv.ntnu.no/~knuta/xmms/hardy ./ deb-src http://www.pvv.ntnu.no/~knuta/xmms/hardy ./
Update ve install xmms
sudo apt-get update sudo apt-get install xmms
FreeBSD → Mailman kurulum notları
October 9th, 2009 by admin
|
| Mailman e-posta listesi uygulamasıdır. Python ile kodlanmıştır. Dökümanda, Mailman’in en basit haliyle sendmail ile beraber çalıştırılması anlatılmıştır. Detaylar için mailman kaynağındaki contrib dizinine göz atmanızı öneririm. İlk olarak ilgili dizinleri yaratıp, yetkileri düzenleyip, http://www.gnu.org/software/mailman/download.html adresinden edindiğimiz kaynağı derliyoruz… |
Security → Web security tools collection for pentesters
September 20th, 2009 by admin
 |
Denetimi ve testleriniz için kullanabileceğiniz, uygulama alanlarına göre kategorize edilmiş araçlar, (kaynak bağlantı: http://baoz.net/web-security-tools-collection/)
Test sites / testing grounds
SPI Dynamics (live) – http://zero.webappsecurity.com/
Cenzic (live) – http://crackme.cenzic.com/
Watchfire (live) – http://demo.testfire.net/
Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
WebMaven / Buggy Bank – http://www.mavensecurity.com/webmaven
Foundstone SASS tools – http://www.foundstone.com/us/resources-free-tools.asp
Updated HackmeBank – http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
OWASP WebGoat – http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/
HTTP proxying / editing
WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp – http://www.portswigger.net/
Paros – http://www.parosproxy.org/
Fiddler – http://www.fiddlertool.com/
Web Proxy Editor – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru – http://www.sensepost.com/research/suru/
httpedit (curses-based) – http://www.neutralbit.com/en/rd/httpedit/
Charles – http://www.xk72.com/charles/
Odysseus – http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X – http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools’/O’Reilly – http://examples.oreilly.com/networkst/
JS Commander – http://jscmd.rubyforge.org/
Ratproxy – http://code.google.com/p/ratproxy/
RSnake’s XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
Wfuzz – http://www.edge-security.com/wfuzz.php
ProxMon – http://www.isecpartners.com/proxmon.html
Wapiti – http://wapiti.sourceforge.net/
Grabber – http://rgaucher.info/beta/grabber/
XSSScan – http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 – http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
HTMangLe – http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz – http://sourceforge.net/projects/jbrofuzz
XSSFuzz – http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid’s XSS Assistant – http://www.whiteacid.org/greasemonkey/
Overlong UTF – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
[TGZ] MielieTool (SensePost Research) – http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
RegFuzzer: test your regular expression filter – http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter
screamingCobra – http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy – http://immunitysec.com/resources-freesoftware.shtml
RFuzz – http://rfuzz.rubyforge.org/
WebFuzz – http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
TestMaker – http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor – http://michaeldaw.org/projects/asp-auditor-v2/
WSTool – http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) – http://ussysadmin.com/whcc/
Web Text Converter – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
HackBar (Firefox Add-on) – https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) – http://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) – http://userscripts.org/scripts/show/743
HTTP general testing / fingerprinting
Wbox: HTTP testing tool – http://hping.org/wbox/
ht://Check – http://htcheck.sourceforge.net/
Mumsie – http://www.lurhq.com/tools/mumsie.html
WebInject – http://www.webinject.org/
Torture.pl Home Page – http://stein.cshl.org/~lstein/torture/
JoeDog’s Seige – http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) – http://www.open-labs.org/
Load-balancing detector – http://ge.mine.nu/lbd.html
HMAP – http://ujeni.murkyroc.com/hmap/
Net-Square: httprint – http://net-square.com/httprint/
Wpoison: http stress testing – http://wpoison.sourceforge.net/
Net-square: MSNPawn – http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter – http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker – http://www.wiretrip.net/rfp/lw.asp
Nikto – http://www.cirt.net/code/nikto.shtml
twill – http://twill.idyll.org/
DirBuster – http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
[ZIP] DFF Scanner – http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project – http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled – http://sf.net/projects/hackfox
Browser-based HTTP tampering / editing / replaying
TamperIE – http://www.bayden.com/Other/
isr-form – http://www.infobyte.com.ar/developments.html
Modify Headers (Firefox Add-on) – http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) – http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1290/
TestGen4Web (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1385/
DOM Inspector / Inspect This (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
LiveHTTPHeaders / Header Monitor (Firefox Add-on) – http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/
Cookie editing / poisoning
[TGZ] stompy: session id tool – http://lcamtuf.coredump.cx/stompy.tgz
Add’N Edit Cookies (AnEC, Firefox Add-on) – http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) – http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) – http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy – http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer – http://www.dutchduck.com/Features/Cookies.aspx
Ajax and XHR scanning
Sahi – http://sahi.co.in/
scRUBYt – http://scrubyt.org/
jQuery – http://jquery.com/
jquery-include – http://www.gnucitizen.org/projects/jquery-include
Sprajax – http://www.denimgroup.com/sprajax.html
Watir – http://wtr.rubyforge.org/
Watij – http://watij.com/
Watin – http://watin.sourceforge.net/
RBNarcissus – http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) – http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
Javascript Inline Debugger (jasildbg) – http://jasildbg.googlepages.com/
Firebug Lite – http://www.getfirebug.com/lite.html
firewaitr – http://code.google.com/p/firewatir/
RSS extensions and caching
LiveLines (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/324/
rss-cache – http://www.dubfire.net/chris/projects/rss-cache/
SQL injection scanning
0×90.org: home of Absinthe, Mezcal, etc – http://0×90.org/releases.php
SQLiX – http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool – http://sqlninja.sourceforge.net/
JustinClarke’s SQL Brute – http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat – http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap – http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer – http://www.sensepost.com/research/scully/
FG-Injector – http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS – http://www.priamos-project.com/
Web application security malware, backdoors, and evil code
W3AF: Web Application Attack and Audit Framework – http://w3af.sourceforge.net/
Jikto – http://busin3ss.name/jikto-in-the-wild/
XSS Shell – http://ferruh.mavituna.com/article/?1338
XSS-Proxy – http://xss-proxy.sourceforge.net
AttackAPI – http://www.gnucitizen.org/projects/attackapi/
FFsniFF – http://azurit.elbiahosting.sk/ffsniff/
HoneyBlog’s web-based junkyard – http://honeyblog.org/junkyard/web-based/
BeEF – http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) – http://www.gnucitizen.org/projects/fex/
What is my IP address? – http://reglos.de/myaddress/
xRumer: blogspam automation tool – http://www.botmaster.net/movies/XFull.htm
SpyJax – http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval – http://www.gnucitizen.org/projects/greasecarnaval
Technika – http://www.gnucitizen.org/projects/technika/
Load-AttackAPI bookmarklet – http://www.gnucitizen.org/projects/load-attackapi-bookmarklet
MD’s Projects: JS port scanner, pinger, backdoors, etc – http://michaeldaw.org/my-projects/
Web application services that aid in web application security assessment
Netcraft – http://www.netcraft.net
AboutURL – http://www.abouturl.com/
The Scrutinizer – http://www.scrutinizethis.com/
net.toolkit – http://clez.net/
ServerSniff – http://www.serversniff.net/
Online Microsoft script decoder – http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit – http://www.webmaster-toolkit.com/
myIPNeighbbors, et al – http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
PHP charset encoding – http://h4k.in/encoding
data: URL testcases – http://h4k.in/dataurl
Browser-based security fuzzing / checking
Zalewski’s MangleMe – http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm’s tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan – http://metasploit.com/users/hdm/tools/
Peach Fuzzer Framework – http://peachfuzz.sourceforge.net/
TagBruteForcer – http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply – http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider – http://labs.idefense.com
bcheck – http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page – http://www.indiana.edu/~phishing/?projects
LinkScanner – http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck – http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests – http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo – http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker – http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex – http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonn’s Black Dragon Project – http://blackdragon.jungsonnstudios.com/
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) – http://ha.ckers.org/mr-t/
Vulnerable Adobe Plugin Detection For UXSS PoC – http://www.0×000000.com/?i=324
About Flash: is your flash up-to-date? – http://www.macromedia.com/software/flash/about/
Test your installation of Java software – http://java.com/en/download/installed.jsp?detect=jre&try=1
WebPageFingerprint – Light-weight Greasemonkey Fuzzer – http://userscripts.org/scripts/show/30285
PHP static analysis and file inclusion scanning
PHP-SAT.org: Static analysis for PHP – http://www.program-transformation.org/PHP/
Unl0ck Research Team: tool for searching in google for include bugs – http://unl0ck.net/tools.php
FIS: File Inclusion Scanner – http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit – http://developer.spikesource.com/projects/phpsecaudit
PHP Defensive Tools
PHPInfoSec – Check phpinfo configuration for security – http://phpsec.org/projects/phpsecinfo/
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey
Php-Brute-Force-Attack Detector – Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip
PHP-Login-Info-Checker – Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip
php-DDOS-Shield – A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/
PHPMySpamFIGHTER – http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar
Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
APIDS on Wikipedia – http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) – http://php-ids.org/ http://code.google.com/p/phpids/
dotnetids – http://code.google.com/p/dotnetids/
Secure Science InterScout – http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security – http://remo.netnea.com/
GotRoot: ModSecuirty rules – http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) – http://wsgw.sourceforge.net/
mod_security rules generator – http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper – http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security – http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
AQTRONIX WebKnight – http://www.aqtronix.com/?PageID=99
Akismet: blog spam defense – http://akismet.com/
Samoa: Formal tools for securing web services – http://research.microsoft.com/projects/samoa/
Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 – http://www.codeplex.com/WebserviceStudio
Net-square: wsChess – http://net-square.com/wschess/index.shtml
WSFuzzer – http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool – http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc – http://www.isecpartners.com/tools.html
Web application non-specific static source-code analysis
Pixy: a static analysis tool for detecting XSS vulnerabilities – http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit – http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) – http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here – http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available – http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list – http://spinroot.com/static/
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/
Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
RATS – http://www.securesoftware.com/resources/download_rats.html
ITS4 – http://www.cigital.com/its4/
FlawFinder – http://www.dwheeler.com/flawfinder/
Splint – http://www.splint.org/
Uno – http://spinroot.com/uno/
BOON (Buffer Overrun detectiON) – http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net
Valgrind – http://www.valgrind.org/
Java static analysis, security frameworks, and web application security tools
LAPSE – http://suif.stanford.edu/~livshits/work/lapse/
HDIV Struts – http://hdiv.org/
Orizon – http://sourceforge.net/projects/orizon/
FindBugs: Find bugs in Java programs – http://findbugs.sourceforge.net/
PMD – http://pmd.sourceforge.net/
CUTE: A Concolic Unit Testing Engine for C and Java – http://osl.cs.uiuc.edu/~ksen/cute/
EMMA – http://emma.sourceforge.net/
JLint – http://jlint.sourceforge.net/
Java PathFinder – http://javapathfinder.sourceforge.net/
Fujaba: Move between UML and Java source code – http://wwwcs.uni-paderborn.de/cs/fujaba/
Checkstyle – http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework – http://sourceforge.net/projects/cookie-revolver
tinapoc – http://sourceforge.net/projects/tinapoc
jarsigner – http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
Solex – http://solex.sourceforge.net/
Java Explorer – http://metal.hurlant.com/jexplore/
HTTPClient – http://www.innovation.ch/java/HTTPClient/
another HttpClient – http://jakarta.apache.org/commons/httpclient/
a list of code coverage and analysis tools for Java – http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html
Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
- Visual Studio 2008 Code Analysis, available in:
- VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
- VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
- Visual Studio 2005 Code Analyzer, available in:
- Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
- Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
- Web Development Helper – http://www.nikhilk.net/Project.WebDevHelper.aspx
- FxCop:
- (blog) http://blogs.msdn.com/fxcop/
- (download) http://code.msdn.microsoft.com/codeanalysis
- Microsoft internal tools you can’t have yet:
Threat modeling
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) – http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) – http://www.amenaza.com/software.php
Octotrike – http://www.octotrike.org/
Add-ons for Firefox that help with general web application security
Web Developer Toolbar – https://addons.mozilla.org/firefox/60/
Plain Old Webserver (POW) – https://addons.mozilla.org/firefox/3002/
XML Developer Toolbar – https://addons.mozilla.org/firefox/2897/
Public Fox – https://addons.mozilla.org/firefox/3911/
XForms Buddy – http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install – http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools – http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab – https://addons.mozilla.org/firefox/1419/
User-Agent Switcher – https://addons.mozilla.org/firefox/59/
ServerSwitcher – https://addons.mozilla.org/firefox/2409/
HeaderMonitor – https://addons.mozilla.org/firefox/575/
RefControl – https://addons.mozilla.org/firefox/953/
refspoof – https://addons.mozilla.org/firefox/667/
No-Referrer – https://addons.mozilla.org/firefox/1999/
LocationBar^2 – https://addons.mozilla.org/firefox/4014/
SpiderZilla – http://spiderzilla.mozdev.org/
Slogger – https://addons.mozilla.org/en-US/firefox/addon/143
Fire Encrypter – https://addons.mozilla.org/firefox/3208/
Add-ons for Firefox that help with Javascript and Ajax web application security
Selenium IDE – http://www.openqa.org/selenium-ide/
Firebug – http://www.joehewitt.com/software/firebug/
Venkman – http://www.mozilla.org/projects/venkman/
Chickenfoot – http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey – http://www.greasespot.net/
Greasemonkey compiler – http://www.letitblog.com/greasemonkey-compiler/
User script compiler – http://arantius.com/misc/greasemonkey/script-compiler
Extension Developer’s Extension (Firefox Add-on) – http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/3885/
Bookmarklets that aid in web application security
RSnake’s security bookmarklets – http://ha.ckers.org/bookmarklets.html
BMlets – http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets – http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality – http://www.blummy.com/
Bookmarklets every blogger should have – http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) – http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) – http://www.chuonthis.com/extensions/
SSL certificate checking / scanning
[ZIP] THCSSLCheck – http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger – http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) – https://addons.mozilla.org/firefox/1964/
Honeyclients, Web Application, and Web Proxy honeypots
Honeyclient Project: an open-source honeyclient – http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient – http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient – http://capture-hpc.sourceforge.net/
Google Hack Honeypot – http://ghh.sourceforge.net/
PHP.Hop – PHP Honeynet Project – http://www.rstack.org/phphop/
SpyBye – http://www.monkey.org/~provos/spybye/
Honeytokens – http://www.securityfocus.com/infocus/1713
Blackhat SEO and maybe some whitehat SEO
SearchStatus (Firefox Add-on) – http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) – http://tools.seobook.com/firefox/seo-for-firefox.html
SEOQuake (Firefox Add-on) – http://www.seoquake.com/
Footprinting for web application security
Evolution – http://www.paterva.com/evolution-e.html
GooSweep – http://www.mcgrewsecurity.com/projects/goosweep/
Aura: Google API Utility Tools – http://www.sensepost.com/research/aura/
Edge-Security tools – http://www.edge-security.com/soft.php
Fierce Domain Scanner – http://ha.ckers.org/fierce/
Googlegath – http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) – https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) – https://addons.mozilla.org/firefox/977/
CacheOut! (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1453/
BugMeNot Extension (Firefox Add-on) – http://roachfiend.com/archives/2005/02/07/bugmenot/
TrashMail.net Extension (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1813/
DiggiDig (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2819/
Digger (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1467/
Database security assessment
Scuba by Imperva Database Vulnerability Scanner – http://www.imperva.com/scuba/
Browser Defenses
DieHard – http://www.diehard-software.org/
LocalRodeo (Firefox Add-on) – http://databasement.net/labs/localrodeo/
NoMoXSS – http://www.seclab.tuwien.ac.at/projects/jstaint/
Request Rodeo – http://savannah.nongnu.org/projects/requestrodeo
FlashBlock (Firefox Add-on) – http://flashblock.mozdev.org/
CookieSafe (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2497
NoScript (Firefox Add-on) – http://www.noscript.net/
FormFox (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1579/
Adblock (Firefox Add-on) – http://adblock.mozdev.org/
httpOnly in Firefox (Firefox Add-on) – http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
SafeCache (Firefox Add-on) – http://www.safecache.com/
SafeHistory (Firefox Add-on) – http://www.safehistory.com/
PrefBar (Firefox Add-on) – http://prefbar.mozdev.org/
All-in-One Sidebar (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1027/
QArchive.org web file checker (Firefox Add-on) – https://addons.mozilla.org/firefox/4115/
Update Notified (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2098/
FireKeeper – http://firekeeper.mozdev.org/
Greasemonkey: XSS Malware Script Detector – http://yehg.net/lab/#tools.greasemonkey
Browser Privacy
TrackMeNot (Firefox Add-on) – https://addons.mozilla.org/firefox/3173/
Privacy Bird – http://www.privacybird.com/
Application and protocol fuzzing (random instead of targeted)
Sulley – http://fuzzing.org/
taof: The Art of Fuzzing – http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer – http://sam.zoy.org/zzuf/
autodafé: an act of software torture – http://autodafe.sourceforge.net/
EFS and GPF: Evolutionary Fuzzing System – http://www.appliedsec.com/resources.html
Security → Firefox Keylogger addon
September 18th, 2009 by admin
http://www.hackerscenter.com/public/Firefox_poc/poc_keylogger.zip
Örnek uygulama video görüntüsü