June 14, 2021

New Service Brings Crowdsourcing to Penetration Testing

(LiveHacking.Com) – Crowdsourcing, a term first used back in 2006, has proved a popular way to outsource tasks to large groups or communities (i.e. “the crowd”), where small actions by large numbers can achieve quick results. This idea has now been adopted in the area of penetration testing. Hatforce.com is a new service which rewards ethical hackers for performing penetration tests for willing clients.

The idea is simple. A client signs up to the Hatforce.com web site and offers a financial reward, say $70, for every vulnerability found in their web site or software. Ethical hackers then sign up to Hatforce.com and sign a legal agreement giving them the authority to “hack” the clients resource. If any vulnerabilities are found then they are paid.

The idea of asking “the crowd” to engage in security related tasks was popularized by Google with its Chromium Security Awards scheme. Under Google’s scheme software developers are rewarded for finding security related bugs in Google’s Chrome browser and in the WebKit HTML and Javascript engine. To date Google has paid out hundreds of thousands of dollars in rewards and some people like Sergey Glazunov have become semi-famous for their consistent work in find security holes.

Netsparker Version Released

Mavituna Security Ltd has released a new version of Netsparker, Web Application Security Scanner. According to Mavituna Security blog, the Netsparker version has two new security tests and many new features as follow:

New Redirect Tests

This release introduces 2 new security tests, which confirm whether redirects in the web application are working as expected. If the application sends a redirect back but keeps processing the page this generally indicates a bug. The impact of the bug can vary from “Authentication Bypass “ to a simple forgotten line in the code. However, it almost always indicates a bug that needs to be addressed.

New Features

  • Microsoft Live ID, SSO Authentication Support
  • Vulnerability Summary added to reports
  • Summary Report added to Sitemap. When you click name of the website that you are scanning from the sitemap Netsparker now shows a summary report of the current scan.

Improvements on Security Tests

  • Blind SQL Injection coverage improved
  • Protocol-agnostic Open Redirection checks added
  • LFI security test coverage improved
  • Version information automatically added to all Error Based SQL Injection issues now
  • New XSS checks added to bypass blacklists

Other Improvements and Bug Fixes

  • A Form Parsing bug fixed in Text Parser
  • An error log in Blind Command Injection Engine fixed
  • Some URI Based XSS issues were reported multiple times
  • Minor bugs fixed in the Detailed and XML Reports
  • Typo fixed in CSV Report
  • Set-Cookie headers wasn’t working properly in Redirects
  • Netsparker now supports multiple set-cookies with same cookie name
  • Anti-CSRF token support improved for Form Authentication
  • A bug fixed in profile save with NTLM authentication
  • Naming in certain vulnerabilities changed. New naming uses “Confirmed”, “[Probable]” and “[Possible]”.
  • Several bugs about JavaScript parsing and Form Authentication addressed

Visit Mavituna Security website for more information and educational videos.


Source & Picture: mavitunasecurity.com

Live Hacking Penetration Testing DVD V1.3 Released

A new version of Live Hacking’s free Linux distribution designed for penetration testing and ethical hacking has been released. V1.3 has updated over 140 packages including Metasploit and Firefox.

New in this release is Metasploit Framework 3.6 which can be used to test your network using the framework’s internal database of known weaknesses and exploits. New to V3.6 are post-exploitation modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges. V3.6 also adds 15 new exploits making a total of 648 exploit modules, 342 auxiliary modules and 23 post modules.

The Live Hacking Linux distribution is a ‘Live DVD’ which boots directly from your DVD and doesn’t need to be installed on your computer. As well as the standard Linux networking tools the Live Hacking DVD has tools for DNS enumeration and reconnaissance as well as utilities for foot-printing, password cracking and network sniffing. It also has programs for spoofing and a set of wireless networking utilities.

Now that the pool of free IPv4 addresses has been depleted, the Live Hacking DVD includes the THC-IPV6 tool, a set of tools to attack the inherent protocol weaknesses of IPv6 and ICMP6.

Use this link to download the Live Hacking DVD V1.3.