Monthly Archives: August 2007

Webscarab Tutorial Part 2 (sessiond ID analysis)

Part 1 of this series focused on the basics of using a HTTP proxy to assess a web application. I encourage people to play around with HTTP proxies with a web application that they use frequently, it’s interesting to see what information is being passed between the client and server. This communication can […]

Monster screw up at

The story of user information being stolen on has been in the news about a week now. I noticed that its starting to pick up steam with articles on the front page of major news sites and finally on the front page of the Money section in Sunday’s USA Today. There are […]

Webscarab Tutorial Part 1 (learning the basics)

This tutorial is designed to walk you through the basics of using a HTTP proxy. A HTTP proxy is very useful when it comes to web application vulnerability assessment. A proxy will allow you to record all of your transactions while using the web application producing a history of pages you have visited and links […]

Scan for Blank Admin Passwords without Commercial Software

I’ve seen blank administrator passwords at every organization I’ve worked. Without fail there will be some user that manages to get a PC onto your network without setting a password. This type of scenario opens up Pandora’s box into the number of vectors that could be created. Once a malicious user has […]