Reading view

There are new articles available, click to refresh the page.

When All You Can Do Is Read.

A look at what files are good to try to read when all you have is read only access to a machine, i.e. no directory listing ability.

The second part of my introduction to using ZAP to test WebSockets, this part focuses on fuzzing.

The following article is part two of my introduction to ZAP and testing WebSockets, in this episode I'll cover fuzzing. If you've not used ZAP before I suggest you look at some of the official tutorials first - ZAP home page, Videos. You can find my first part here OWASP ZAP and Web Sockets. The testing is being done against a small WebSockets based app I wrote called SocketToMe which has a few published services along with a few unpublished ones. In this article we are going to look at one of the published ones and try to identify some of the unpublished ones. The first feature I'll investigate is the number guessing game. Here the system picks a random number between 1 and 100 and you have to guess it. I'm going to cheat and see if I can get ZAP to play all 100 numbers for me to go for a quick win.

My AP Collection

I'm going to be doing some AP testing and this is a small part of the collection.

Building a lab with ModSecurity and DVWA.

I've been meaning to build a ModSecurity lab for a while and seeing as I had some free time I decided it was about time to do it and to document it for everyone to share. The lab I built uses an up-to-date version of ModSecurity with a rule set taken from the SpiderLabs github repo and, so there is something to attack, I've included DVWA.
❌