Learn Web Application Exploits and Defenses for free~Penetration Testing

Are you willing to Learn Web Application Exploitation and Defense against that? Here is the chance for you.   Google Labs provides a Lab to learn Web Application for free of cost.


Penetration Testing :

• Learn how hackers find security vulnerabilities!
• Learn how hackers exploit web applications!
• Learn how to stop them! 

This code lab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

• How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
• How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

Gruyere 

This codelab is built around Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.

The codelab is organized by types of vulnerabilities. In each section, you'll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Gruyere. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this codelab, you'll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior. You do not have access to the source code, although understanding how to view source and being able to view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is valuable. Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Gruyere as if it's open source: you can read through the source code to try to find bugs. Gruyere is written in Python, so some familiarity with Python can be helpful. However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Gruyere to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.

They'll tag each challenge to indicate which techniques are required to solve them: 

Challenges that can be solved just by using black box techniques.

Challenges that require that you look at the Gruyere source code.

Challenges that require some specific knowledge of Gruyere that will be given in the first hint.

WARNING: 

Accessing or attacking a computer system without authorization is illegal in many jurisdictions. While doing this codelab, you are specifically granted authorization to attack the Gruyere application as directed. You may not attack Gruyere in ways other than described in this codelab, nor may you attack App Engine directly or any other Google service. You should use what you learn from the codelab to make your own applications more secure. You should not use it to attack any applications other than your own, and only do that with permission from the appropriate authorities (e.g., your company's security team). 

Start Penetration Testing Now

Blackbuntu CE v0.3! is Released

What is Blackbuntu?

“Blackbuntu is a Linux distribution for penetration testing which is specially designed for training security students and practitioners of information security. It is currently built on Ubuntu 10.10 with the Gnome desktop environment. Blackbuntu will also include the KDE desktop in the final release of Blackbuntu Community Edition 0.3. It is not included in 0.1, 0.2 or the current 0.3 betas.“

SQL Inject Me -SQL Injection Tool to test the Vulnerability for Pen Testers

So far i have written what is sql Injection, How to prevent SQL Injection? .  In this post, i am going to introduce a new SQLi tool for Pen Testers and Webmasters.
The tool name is SQL Inject Me.

What is SQL Inject Me?
SQL Inject Me is Mozilla addon that is used to test the SQL Injection Vulnerability of Web Application.  It reduces the workload of Manual SQL Injection Test.  This is especially designed for Pen Testers and Web Masters not for hackers.

pyDetective- An Open Source Forensics Software

pyDetective is New Open source Forensics Software tool developed by Mr. Filip Szymanski. It is  used for computer crime investigations. It consists of two tools namely del2info & carver

Apache Log Extractor Tool for Pen Testers

We know that Apache Server is Famous Web server.  Let us see what is Apache log extractor tool .

What is Apache Log Extractor Tool?
Apache Log Extractor is a quick script to export URL information from Apache access logs. The thought behind this script was to provide a list of known URL’s on a remote server by analysing the logs. This list could then be used as the input for further testing tools e.g Burp Suite – Intruder.

How to Become a Penetration Tester/Ethical Hacker//Security Professional?

I have been asked for tips to become Ethical Hacker or Penetration tester via email.  So In this article, i am going to guide you to get into the Penetration Testing world.

If you are seeing this article, then it means that you already heard about Ethical Hacking and PenTesting.  Anyway, i just like to give small definition about Ethical hacking.

What is Ethical Hacking and Ethical Hacker?
Ethical Hacking, also known as Penetration testing, is the process of vulnerability testing or hacking the system with a permission from corresponding vendor.  Normally, organization who are in the need of security recruits Ethical Hacker or PenTester for improving their security.

Ok, let us come to the article.

How to Become an Ethical Hacker?

1. Dedication : Dedication is the main key to become an ethical hacker. Don't plan to become pentester because of money.  If you really have interest, then go ahead.
2. Reading :  Be a bookworm.  Try to read books related to computer and its architecture.  Buy books related to Security and Ethical hacking. 
3. Know how hackers hack into: You can not solve the problem until you know what is behind the problem.  So you have to learn  method of hackers. How ??! Just read the articles provided in our site.
4. Programming and Scripting: Learn Some programming or scripting languages because most of time you will need to write a code to break into a system.  Also, you have to know the coding for understanding how a system works,then only you can penetrate into.  Ok, which language?! My suggestion is C. I Love C programming.  It is one of best,powerful language and easy to learn.  Some peoples prefer python.  As far as i am concerned, once you learned one language, it is easy for you to learn any other languages. There are are plenty of online programming tutorial sites are out there. 
5. Linux: Ok, it is time to switch from Windows to Linux.  Learn to work with Linux.
6. BackTrack Linux Distribution: Backtrack Linux is one of the famous Penetration Testing Linux distribution.  This backtrack is funded by Offensive Security.  It has almost all penetration testing tools required for security professionals.
7. Get Certification for Ethical Hackers:   Some organization recruits based on security certification.  You can learn and get ethical certification from your nearest center.  Search in google for these keywords "CEH","OSCP","security certifications".  Anyway, if you have dedication and confidence, you don't need a certificate and get into a firm easily.
8. BreakTheSecurity: In BreakTheSecurity , i have written plenty of articles related to Ethical hacking and penetration testing.  Hope it will help you to get some knowledge.  Also, you can find the latest ethical hacking techniques here. 
9. Forums: Participate in any Security or ethical Hacking related forums.  
10. Need help?! feel free to contact me

Opportunities for Ethical Hacker
There are plenty of jobs available in government organisations, banks, financial institutions, military establishments and private companies. India requires more Ethical Hackers.