I am happy to announce the ModSecurity SVM Bypass Charity Challenge. This is a SQL Injection, XSS and Path Traversal Filter Evasion Challenge. Similar to the Trustwave ModSecurity SQLi Challenge, I setup ModSecurity to proxy to the following four commercial vulnerability scanner demo sites:
Often when implementing customised ModSecurity solutions we need to extend the built-in functionality via Lua scripting. One of the disadvantages to this approach is the added latency penalty paid for not using the native rules language. When web site performance is critical for business continuity, every additional millesecond counts. The current trunk code fixes a long-standing limitation where ModSecurity needed to create a new VM for each request, which added latency every time a Lua script was executed.
The term ‘ethical hacker’ is often misrepresented as the keywords "ethical" and "hacking" are an oxymoron. A hacker is defined as an unlawful individual breaking into systems and obtaining private data without explicit authorisation. Society in general has a perception of a hacker as a person wearing a hoodie and hiding in a dark basement.
I recently had to go in to bat for a client who was told by their PCI auditor that they would fail PCI and as a result have to notify all their clients that they were not PCI compliant. The reason they failed was because the ASV scanner picked up an F5 internal IP address disclosure vulnerability that their scanning engine Nessus picked up.
If you are anything like me, when you hear "Hacking in the Year 2030" you immediately visualize hacking robot armies and UFOs to take them down with lazers and ultrasonic USB attachments via your PlayStation 10 using only changes in pupil dilation to read mental instructions of what hacking tools to launch.
Well this technology may very well be around in 2030, but unfortunately most of you are more likely to still be exploiting Cross Site Scripting (XSS) vulnerabilities in the web interface of the killer robots.
It's a question that I'm sure many fellow IT people out there have been faced with. Whether you're on ground zero doing systems administration and a server dies or wondering why all of a sudden orders on your website have slumped. It could literally be anything; a faulty device, software crash... maybe you got hacked? How do you know? Worse still, maybe something bad is happening right now and you haven't even realised yet!
Richard Brown, Pure Hacking dedicated security consultant and all round security fanatic impressed the conference organisers and participants at this year's DefCon with his innovative DefCon badge hack.