Langsung ke konten utama

Postingan

Testing API security using Python and Postman part 1 (day 18)

API stands for Application Programming Interface, mainly used as a service to serve its user and it can provide wide range variety of utility depends on how the developer design it. It is not surprise that many application including web and mobile have adapted this technology into their backend architecture. Nevertheless, every developer and hacker should pay attention to its security to ensure it is not abuse by malicious actor.

In this blog i will show you how to test an API by using Python and Postman. To test the API i used Tireful API. It is a web app intentionally developed to be insecure. The purpose of the app to teach developers, QA or security professionals about flaws present in webservices (REST API) due to insecure coding practice. Following are the scenarios implemented.

Information DisclosureInsecure Direct Object ReferenceAccess ControlThrottlingSQL InjectionCross Site Scripting Setup The API: i used python environment utility to isolate the installation of the prerequ…
Postingan terbaru

MinU vulhub write up ctf (day 17)

MinU machine is a Ubuntu Based virtual machine release from vulnhub design to test your knowledge how to evade waf in apache. I personally think that this is a quite a challenge for me and i'm not gonna lie to all of you i reference some method from couple of blog post on how to solve this machine but still its a quite fun ride for me.

Lets get started

I like to begin to work on the machine with scanning all the port using nmap and use high intensity scanning since the machine is install locally it will not cost you a significant time.


as you can see from the result that only port 80 which is web server is served for us and if you try to open the web it is just going to say a default web page. So i start to enumerate the website using dirsearch and i found a "test.php"page

but what really interesting is the parameter it goes like:

http://<ip address>/test.php?file=<filename>

it seems that the param expect a file to be input so i start to put a string for dire…

Basic Pentesting Vulnhub Write Up (day 16)

Lets get back to basic.


In this post, i will explain to you how to owned vulnhub machine (Basic Pentesting)

link: Download the Machine

Background Challenge: 
This is a small boot2root VM I created for my university’s cyber security group. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testing for this VM on VirtualBox, so that’s the recommended platform. I have been informed that it also works with VMware, but I haven’t tested this personally.

This VM is specifically intended for newcomers to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right.

Your goal is to remotely attack the VM and gain root privileges. Once you’ve finished, try to find other vectors you might have missed! If you enjoyed the VM or have questions, feel free to contact me at: josiah@vt.edu

If you finished the VM, please also consider posting a writeup! Writeups help you internalize what you worked on and…

Finishing cryptography challenge (Matasano) with Kotlin part 1 (day 15)

Cryptography has always been a critical area in computer security, it provides confidentiality and integrity in critical infrastructures such as e-commerce and bank. Thus, learning how to test the implementation will be a valuable experience to all of the security practitioners.

So, in this opportunity, I would like to challenge myself to learn about cryptography and cryptanalysis with the help of Kotlin.

Where the hell do I found an adequate resource to learn cryptography? First of all, there are lots of books to teach you about cryptography and cryptanalysis. Many people recommend reading the Bruce Schneier "Applied Cryptography" but if you like me who will be become drowsy after reading a couple of sentences in a book I suggest you try this website which is https://cryptopals.com, it is a website that contains 8 sets of challenges about the demonstration of real-world attack in cryptography so most of the time you will learn more about cryptanalysis rather than cryptogra…