Court of Analysis and Testing

Howdy, folks ! the following blog is the continuation of previous content, solving matasano with kotlin part 1  . In this post, i will talk about how to solve next two challenges in set 1 (challenge 3 to 4). Challenge 3: Description: The challenge expected us to create a program that crack a hex string that has been encrypted with single byte XOR. In order to solve this question you just need to reuse the code from challenge 2 and give some little bit of alteration. I try to design the UI really simple so you guys don't have difficulty following the code.The following is the snipped code to solve the challenge 3. Lets try to break it down so you guys know how this function work. First, in onCreate method i have button that ready to be trigger if its been pressed by user and once the user enter the string, it will get the input from the editText element and finally passed it to the solve_chal3 function now this where the real deal going to take a place.

API stands for Application Programming Interface, mainly used as a service to serve its user and it can provide wide range variety of utility depends on how the developer design it. It is not surprise that many application including web and mobile have adapted this technology into their backend architecture. Nevertheless, every developer and hacker should pay attention to its security to ensure it is not abuse by malicious actor. In this blog i will show you how to test an API by using Python and Postman. To test the API i used Tireful API. It is a web app intentionally developed to be insecure. The purpose of the app to teach developers, QA or security professionals about flaws present in webservices (REST API) due to insecure coding practice. Following are the scenarios implemented. Information Disclosure Insecure Direct Object Reference Access Control Throttling SQL Injection Cross Site Scripting Setup The API: i used python environment utility to isolate the insta

MinU machine is a Ubuntu Based virtual machine release from vulnhub design to test your knowledge how to evade waf in apache. I personally think that this is a quite a challenge for me and i'm not gonna lie to all of you i reference some method from couple of blog post on how to solve this machine but still its a quite fun ride for me. Lets get started I like to begin to work on the machine with scanning all the port using nmap and use high intensity scanning since the machine is install locally it will not cost you a significant time. as you can see from the result that only port 80 which is web server is served for us and if you try to open the web it is just going to say a default web page. So i start to enumerate the website using dirsearch and i found a "test.php" page but what really interesting is the parameter it goes like: http://<ip address>/test.php?file=<filename> it seems that the param expect a file to be input so i start to pu