My first post about this OWASP project can be found here. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 2.0.1! Read more about UPDATE: OWASP Dependency-Check 2.0.1!
Seems like yesterday when S2-045, the Jakarta Multipart vulnerability was being actively exploited in the wild which allowed remote attackers to execute arbitrary code. A few hours ago a new equally exploitable advisory - S2-048 was made public by the Apache foundation! This is a quick write up to see if we can test an exploit for the Apache Struts2 vulnerability and create a proof of concept code. This vulnerability has been assigned: CVE-2017-9791 Read more about Apache Struts2 Showcase Remote Code Execution! (S2-048)
You must have read my last post about Prowler, a full featured and open source tool that automates auditing and hardening guidance of an AWS account. It performs 52 checks based on CIS Amazon Web Services Foundations Benchmark 1.1. If you are looking for a smaller set of checks, then you have another option - Zeus. Read more about Zeus: Audit & Harden Your AWS Installations!
All of us know that Center for Internet Security offers CIS Security Benchmarks for multiple systems to safeguard them against an ever changing threat landscape. For Amazon Web Services (AWS) the current version can be found here: CIS Amazon Web Services Foundations Benchmark 1.1. This post is about a tool that helps you automate most of the benchmarks - Prowler. Read more about Prowler: An AWS CIS Benchmark Auditing & Hardening Tool!
There is a lot of fun offensive stuff being developed in PowerShell these days. An example is Invoke-Phant0m an excellent Microsoft Windows eventlog wiper. This post is about PSAttack, a framework which tries to include almost all Microsoft PowerShell scripts that can be used in a penetration test. Read more about PSAttack: A Offensive PowerShell Console!
My old post about the OWASP Dependency-Check project can be found here. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. Read more about UPDATE: OWASP Dependency-Check 2.0.0!
Internal network exploitation is a completely different ballgame all together. Many resources are trusted by default and security restrictions are minimal in most cases. One such resource which lacks security restrictions is the Microsoft Windows Server Update Services (WSUS). I have seen internal networks which lack SSL protection, because it is "not needed" for internal networks. This is where a script like WSUXploit comes into picture! Read more about WSUXploit: A Weaponized WSUS Exploit Script!