hiredhacker.com

w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

w3af is a great (and getting better) framework that I just decided to start contributing to. I want to get as much attention to these guys as possible as it has allot of potential to be a very impressive tool.

Hopefully I can set some time aside to actually start throwing some code at em and if you know python and have an interest in web application security, lend a hand! Its a great group of guys (and girls?) working on an exciting tool.

A little off topic but if you are a fan of the Sox, or just like baseball you gotta see this. Here is Manny’s sprinting-wall-climbing-high-fiveing-double-play-catch from a few nights ago:

http://www.mlb.com/media/video_sl.jsp?video=200805142699480

The past few months haven’t exactly been slow for me, hence the lack of new content here. There have been allot of interesting stuff to happen over the past 2 months, I will try to point out the ones I found most interesting. In no particular order (well, except for Mark Dowd’s inhuman paper, that needs to go first):

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Thomas Ptacek from Matasano has some nice posts about Dowds paper here and here. Come to think of it, just read the Matasano Blog.

Retsaot is Toaster, Reversed: Quick ‘n Dirty Firmware Reversing. Yea, another matasano post. Once you read that your going to want to get this: BlackBag 0.9.1

For those who still doubt the seriousness of bugs like XSS and CSRF, check out: uTorrent Pwn3d. With out rehashing Rob’s post, he used CSRF to gain control of a machine.

The Bluehat talk A Resident in My Domain has sparked quite a few posts about the details of the attack, and it looks very interesting/serious.

There is of course always OpenRCE.org and sla.ckers.org, and if your in the Boston area or are just fans of Dropkick they will be playing at all the Red Sox minor league parks with the Bosstones, more info here.

‘Mantis is a free popular web-based bugtracking system’ - http://www.mantisbt.org/

I didn’t audit this, I don’t want to audit this, I just found it while using Mantis. There may be more, but this is what I got:

/view_filters_page.php
?for_screen=1&target_field=show_category[]%22;alert(1);x=%22

February was a very busy month for me, which makes it a slow month for hiredhacker.com. I did change hosts, but that was about it. Between the XBox 360, and my new iPhone I am lucky I even did any real work. Hopefully March will be a better month for hiredhacker and I will get to do some more research and get some new bugs published. I do have some quick bugs that I will throw up here, both are web apps; Mantis Bug Tracker and dotProject Project Management System.