Showing posts from May, 2009

Greasemonkey Script: WebPageFingerprint Series

Greasemonkey Script: WebPageFingerprint Series
Description: Six nice video series of how a very little Greasemonkey Script can do - Web Page fingerprinting, JS fingerprinting, Vulnerability/Backup file scanning, XSS/SQL/Command Injection fuzzing ...etc.
Date: July 2008

WebScarab Demonstration Series

WebScarab Demonstration Series
Description: See how WebScarab is useful in web application security assessment. - Spidering - Finding Hidden Clues - Session Analysis - XSS Hunting - Dir Enumeration - Backups Enumeration
Date: August 2008

Passive Vulnerability Scanning with RatProxy

Passive Vulnerability Scanning with RatProxy
Description: See how a google security guy's RatProxy is good at Web Application Security Assessment.
Date: August 2008

Attack Log Analysis with Scalp!

Attack Log Analysis with Scalp!
Description: Scalp is a very great apache log attacker analyzer using php-ids IDS pattern file. If you scan your web site logs weekly or daily, you will see attacks are coming to your site on a regular basis. People tend to check their logs only after compromise is accomplished. It is too late. Attackers have 0wned their sites and manipulated log files!
Date: Sept 2008

HTTP Form Brute Forcing With JHijack

HTTP Form Brute Forcing With JHijack
Description: The Initial reason for JHijack is to use it in numeric Session Hijacking but its uses depend only on who use it. We've given yet another example in Blind SQL Injection. This time, it can also be used as HTTP Form Cracker like an old school - Brutus.
Date: Nov 2008

Why JS Malwares are still prevelent and bypassing AV Scanners

Why JS Malwares are still prevelent and bypassing AV Scanners
Description: Even up to now due to today's AV Scanner's Poor Defense against web worms, we'll never be secure. This movie shows you how JS malwares can easily bypass AV Scanners using stupid string manipulation techniques.
Date: May 2009

Session Strength Analysis With Stompy

Session Strength Analysis With Stompy
Description: Stompy performs NIST FIPS statistical tests on session generation and checks for correlations between arbitrary bits. A truly random token never exhibits correlation between the stage of one bit and the state of another. In this movie, I'll show you how to download, extract, compile, and run Stompy and analyze session tests for failure or pass. Ref: WAHH.
Size: 10 MB
Date: May 2008

Checking Weak SSL Ciphers With THCSSLCheck

Checking Weak SSL Ciphers With THCSSLCheck
Description: If any weak or obsolete SSL ciphers are being used in particular web sites, then a suitably positioned attacker may be able to perform an attack to downgrade or decipher the SSL communications gaining access to user sensitive data. Ref: WAHH.
Size: 2.05 MB
Date: May 2008

Discovering Browser Plugin Vulnerabilities

Discovering Browser Plugin Vulnerabilities
Description: See how attacker find flaws in web browser plugins to install malware to your computer. For example, if a plugin has vulnerable readFile/loadFile function, then he can read/load any files from your computer and then send them to his sever. Similarly, for saveFile function, he can overwrite any files on your disk with malicious content.
Size: 9.38 MB
Date: May 2008

Owning the box via Web Browser Flaw

Owning the box via Web Browser Flaw
Description: You'll never think of how dangerous a link you've clicked! Generally exploiting browser vulnerabilities to gain remote access may bypass firewalls that are protecting your workstation. Firewalls typically block new, inbound connection attempts but allow users behind the firewall to create outbound connections, which allow both parties of that established connection to communicate freely in both directions over that channel. If an attacker wants to attack your firewall-protected computer, he will normally be blocked by your firewall. However, if the attacker instead hosts the domain and entices you to browse to, he now has a communication channel to interact with your computer. Ref: GHHB.
Size: 11.3 MB
Date: May 2008

XSS in phpMyAdmin 2.11.7

XSS in phpMyAdmin 2.11.7
Description: A recorded XSS hunting movie in phpMyAdmin 2.11.7.
Date: June 2008

OWASP WebGoat Web Hacking Simulation Series [over 40 Movies]

OWASP WebGoat Web Hacking Simulation Series [over 40 Movies]
Description: A Series of Full-Featured Web Hacking WalkThrough Simulations played in OWASP WebGoat v5.1 environment. General - Code Quality - Concurrency - Unvalidated Parameters - Access Control Flaws - Authentication Flaws - Session Management Flaws - Cross-Site Scripting (XSS) - Buffer Overflows - Injection Flaws - Improper Error Handling - Insecure Storage - Denial of Service - Insecure Configuration - Web Services - AJAX Security - Challenge. New movies will be added whenever WebGoat is updated.
Size: N/A
Date: April 2008

Trusting The Vulnerability Scanner: Danger of False Negative Sign

Trusting The Vulnerability Scanner: Danger of False Negative SignDescription: This movie is to educate developers who put their entire trust on security/vulnerability scanners. False Negative means "Scanner says it doesn't find any X vulnerability". But there actually exists X vulnerability. Be sure to read "About Movie.txt" file. Size: 2.05 MB Date: April 2008

Owning the box Via Web Application Flaw

Owning the box Via Web Application Flaw
Description: See how an attacker can use our recent discovery of File-Upload vulnerability in Gmail-Lite to 0wn the entire box. This is to teach developers how a flaw in web application is evil.
Size: 6.39 MB
Date: April 2008

Performing Directory Brute-Force Attack

Performing Directory Brute-Force Attack
Description: There are dozens of tools that let us brute-forcing directories names for sensitive information digging. In this movie, we illustrated Directory Brute-Forcing with the tool called 'JBroFuzz'. The reason why we like it is that it can brute force a large number of directories. As of this writing,the latest version JBroFuzz 0.8 has 58658 directories names that are commonly used by today's web sites. The only defense is you must not place/protect sensitive information in server-side (.htaccess). Just wanna show you - Security Through Obscurity is broken.
Size: 3.51 MB
Date: March 2008

Evading Firefox XSS-Warning Addon Filter

Evading Firefox XSS-Warning Addon Filter
Description: Just one example of how attackers can easily bypass today's security controls. We shouldn't too much reply on security products which have their own weaknesses.
Size: 169 KB
Date: March 2008

Exploiting Logic Flaw

Exploiting Logic Flaw
Description: This demonstration shows you on how a flaw in coding reveals sensitive information!
Size: 2.75 MB
Date: Feb 15, 2008

Finding XSS with Automated Tool [Interactive]

Finding XSS with Automated Tool
Description: This training is an interactive version of the above training. It simulates you how to automate finding xss holes with fuzzers in quick and easy manneryourself.
Size: 150 KB
Date: Feb 6, 2008

Finding XSS with Automated Tool

Finding XSS with Automated Tool
Description: This training shows you how to automate finding xss holes with fuzzers in quick and easy manner.
Size: 1.18 MB
Date: Jan 04, 2008

How Bad Guys Steal your Login Info Smartly

How Bad Guys Steal your Login Info Smartly
Description: This demonstration shows you how bad guys or malicious web sites steal your login accounts info of your daily visited sites by exploiting via web browser's autoComplete feature .
Size: 886.98 KB
Date: Jan 11, 2008

Desirable Input Validation Baseline Check

Desirable Input Validation Baseline Check
Description: This demonstration shows you on how you should implement baseline acceptable input filtering on visitors' inputs. Filtering inputs are the most important because 100% injection attacks (XSS,SQL,XPATH,OS CMD ...etc) come from inputs where filtering is weak or none. Developers should always be aware of inputs as well as outputs! You know Garbage In Garbage Out but for attackers, Garbage In Gold Out!
Size: 4.09 MB
Date: Jan 15, 2008

Attacking The Spammers with PhpMySpamFighter

Attacking The Spammers with PhpMySpamFighter
Description: Spammers use email collectors programs to grap our site visitors' emails. See our phpMySpamFighter Dos-attacks their programs. We hope there will be less spammers if this technique is used widely. In fact, it fights not only spammers but also your attackers who use the similar tools to probe your web sites.
Size: 3.65 MB
Date: March 2008


Download WFuzzFE

Description: WFuzz FrontEnd (WFuzz UI) is what we just wrap GUI to the all-time famous by Carlos del ojo & Christian Martorella ( WFuzz is known as a Web Brute Forcer. It's a tool that got its fame thanks to its multithreading and flexibility to show only desired results based on HTTP Response Code, No. of Lines/Words. When fuzzing is done, firefox will open and show the result. Requirements: Python, JRE 1.5 >= Date: Oct 2008

Web Firewall Detector

Download Web Firewall Detector

Typical Web Firewalls use a mechanism to classify anomaly traffics. This tool submits an old-school malicious (not dangerous) request, and tells you the type of firewall a particular web site use (if any). Mainly useful for blackbox security assessment. Coded years ago. Ref: Web Hacking Exposed 2nd Edition, ISBN:9780072262995
[REQUEST] <----> | Web Firewall | <----> [WebServer] Requirements: Perl Date: Nov 2008

No longer updated. We've contributed this wafd's signatures to w3af plugin.

Web Firewall Stress Tester

Download Web Firewall Stress Tester

A tool to be used for newly created OSS web firewall/proxy/servers 'coz I found vulnerability in this way. Submit (GET/POST/HEAD) user-defined packets to web firewall to test its security strength. Tell you at which packet length a firewall will crash. Good for Heap/buffer overflow hunting.

[REQUEST] <----> | Web Firewall | <----> [WebServer]

Requirements: Perl Date: Nov 2008

Joomla! Security/Vulnerability Scanner

Download Joomla! Security/Vulnerability Scanner

A regularly-updated scanner that can detect file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site. Requirements: Perl Start-Date: Dec 2008

Ultimate Hackerfox Addons

We've found it impossible to run Portable Firefox with several security addons thanks to our contributing testers (Ko Soe Min, & Ko Phyo, To work around this problem, we zip-bundle hacking addons with runnable invokers (run.exe in Windows, in Linux). You must have firefox installed in your system. Make sure you already close any Firefox beforehand. Our Greasemonkey scripts Included . Download: version-1-light MD5: 80AED846164A1AECEB5AFE0759473DF2
version-2 MD5: 68C581305E2C16E9D51E41C7D75ED501 Requirement: Firefox Browser Date: Auguest 2008


Download NiktoFE

Nikto FrontEnd (Nikto UI) is what we just wrap GUI to the all-time famous by Sullo (CIRT Inc).It usually takes several minutes(even hours) for a complete scan. When it's done, firefox will open and show the result. Requirements: Perl, JRE 1.5 >= Date: Oct 2008

phpMyAdmin Configuration Security Checker

Download phpMyAdmin Configuration Security Checker

Thousands of web servers are running phpMyAdmin in more or less insecure settings. This configuration script will check user-defined configuration values against pre-defined secure values. Set config file path. Run it and save the test result and then delete this script. Coded for: phpMyAdmin 2.11.7 Date: July 2008

PHP Login Info Checker (LIC) v.01

Download PHP Login Info Checker (LIC) v.01

In your web applications wherever user/admin registration is required, use this checker script to strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. You can extend it stricter/stronger passwords easily. It has also built-in smoke test page via url loginfo_checker.php?testlic . Demonstration: PHP Login Info Checker DemoCompatibility: PHP 4/5 Date: April 2008

Php-Brute-Force-Attack Detector

Download Php-Brute-Force-Attack Detector

(Former name: Php Attack Detection Engine) to detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. This helps you quickly identify probable probing by bad guys who's wanna dig possible security holes. For more info...Requirements: PHP5, MySQL 4> Date: June 2008

Apache mod_rewrite security rules

Download Apache mod_rewrite security rules

These rules act as a baseline web application firewall built on common attack strings. If you get banned during legitimate traffic, you'll have to remove troubled keywords. If you can't, post'em to us. We'll send you finer version that suits your site. It's a must for all web servers. Remember it cannot help most web application attacks such as Information Leakage, Insufficent Authentication/Authorization, Bruteforcing, Predicatable Resource Location, Logic flaws. Requirements: Apache with mod_rewrite module enabled Date: March 2009



It makes/fills email extractors/spammers' programs with thousands of fake email addresses endlessly dynamically generated by phpMySpamFighter. So even if your site visitors post their email addresses in plain format, spammers will give up searching for correct ones. It may cause Denial-Of-Service attack back to their programs.In fact, it fights not only spammers but also your attackers who use the similar tools to probe your web sites. Compatibility: PHP 4/5 Resources: Demonstration


Download php-DDOS-Shield

Php-Distributed Denial-of-Server Preventor. Nothing can stop DDOS? Don't be amazed. This is a tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. Installation is to just do include. Requirement: PHP 4 > Date: July 30 2008



A lightweight Windows HTA Application useful as your regular google hacking tool on Windows platform.A comprehensive search form bundled with sensitive keywords. It's capable of saving searches on disk and directly modifying keyword files. Started: Sept 2007


Download HackerFirefoxDescription: Portable Firefox With Web Hacking Tools Bundled Started: Dec 2007 Featured @ at OWASP

JHijackv.01 beta

Download JHijackv.01 betaDescription: A simple Java Fuzzer mainly used for numeric session hijacking and parameter enumeration. Requirement: JRE/JDK 1.4 or above Demonstrations: Session HijackingBlindSQLInjectionHTTP Form Brute Forcing Date: April 2008

GreaseMonkey:: Web Security Toolkit

A collection of our Greasemonkey scripts that aim to provide security for you and your site. We love to write Greasemonkey scripts than Browser Addons because Greasemonkey is more flexible. Any one can view and edit source codes with ease. They will forever be compatible with any versions of Gecko browsers while most security addons are no longer compatible with new versions unless their authors take pains to modify codes for compatibility. Send suggestions and bugs via our contact form at our home page. Feel free to modify codes to adapt your need. phpinfo() Security CheckerDescription: Whenver the script detects a phpinfo() page, it fingerprints it for how much secure that phpinfo page. It's a combination of my security thoughts and's project. Use it for security and performance issues. Ideal for web masters and web server admins who are a bit confused with phpinfo() page's numberous configuration items. Date: July 2008
WebPageFingerPrint (aka. Hacking Scrip…

Web Application Security Papers Archived (WASPA)

Download Web Application Security Papers Archived (WASPA)

This project is a collection of web application security related documents, presentations, cheetsheets, guides and the like. As for always, those resources are scattered among thousands of resources on the web. Some are really worth to read but are sadly unknown by a whole large. The only noble aim of Security students, professionals, or researchers is to bring reliable security and countermeasures to our next-generation IT communication. I attempt to support this aim by collecting resources altogether in one place which can be downloaded by those who're eager for stronger security.

Started: June 2008

Multiple vulnerabilities in PhpMyAdmin

Multiple vulnerabilities in PhpMyAdmin <= 2.11.7 -

XSS in setup
Cross-site Framing

July, 2008

Gmail-Lite XSS Hole

CodeIgniter Global XSS Filtering Bypass Vulnerability

Ning.Com Captcha Protection Bypass Vulnerability

Input Flood Vulnerability in burglish chat

XSS Archive Screenshots

Apache Security Bypass Vulnerability in DOMPDF

Gmail-Lite Shell Code Execution Vulnerability

XSS-Warning Addon Filtering Bypass Vulnerability

Hacker Web Search Aggregator

Hacker Web Search Aggregator - Collection of site searches for Information Gathering phase.

Resource Directory

This is our ongoing project to maintain the most live ever-updated comprehensive links repository. We take pains to make the HWD sure for quality links resources. Click the logo below to enter into hwd.

Web App Security Assessment Report Generator (WA-SARG)

To generate assessment report, the following famous two methodologies are used as framework or checklists. Practical skills on tools and knowledge are required to perform the assessments accurately according to defined methodology. Carrying out assessments that satisfy all tasks mentioned in these methodologies ensures reasonable level of security. They provide pentesters baseline checklists so as not to miss anything. For more information, please buy "Web Application Hacker's Handbook" for Portwigger and download OWASP Testing Guide from If you'd like to propose hybrid methodologies combined with your own experience, don't hesitate to contact us. Over time, these methodologies need to be updated to cope with evolving attack vectors and threats.
OWASP Testing Guide v2
OWASP Testing Guide v3
Privacy Policy: No data is sent to our server.
Purely generated by JavaScript alone. Some words: Avoid using it as a checklist if you have limited time;

What a perfect whitehat!

Better Study Strategies

A Dark Intro To Google Hacking

Php5 Built-in String Filter Functions For Security

Introducing Malware Script Detector

An Apache Trick to protect sensitive/backup files

Ongoing Web Application Security Model (OWA-SM)

An Apache Trick to prevent Shell File Attack

Directory Bruteforce Attack

Security Professional How to

Why Session Protection Fails

Ways to Protect Sensitive Files & Directories

Web Browser Plugins Vulnerabilities

Hunting for Backdoor Scripts

Things to do When you got hacked

Causes Of Security Flaws 101

What XSS Can Do

What XSS Can Do
Jan 02, 2008

Defeating X-Rummer Spam Bot

Disclosure Vulnerability:phpinfo

Disclosure Vulnerability:robots.txt

Jul 16, 2006

A Nice Approach to IT Certifications

Jan 07 , 2006

Next-Generation Phishing Attack

May 13, 2006