Collaborate Disseminate
I recently saw a very interesting post from a person describing all the steps he would take before running a scan (https://groups.google.com/g/zaproxy-users/c/SMd9OmcVWbE). It caught my attention because I do exactly the same thing he does… Continue reading Doesn’t seem to change _csrf token
Say you have the following files/folder in your webserver:
public_html/index.html
public_html/test/index.html
public_html/test/foo-randomString.jpg
For an average user, foo-randomString.jpg can’t be seen unless they know the exact filena… Continue reading Can a web crawler still see files in a directory even with an index file? [closed]
I have a VM which is exposed to the internet. I can see a lot of scans for /azenv.php, /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php and like in my server logs.
How do I protect from these scans?
Am I being targeted for a hack?
Is t… Continue reading Securing against scans
I ask this question because there is a common compliance argument that performing an “OWASP Top 10” scan provides enough coverage to consider it an “in-depth” scan. Is this the case, or are organizations implementing a minimal level of sca… Continue reading Does OWASP’s top 10 list cover the majority of potential web application vulnerabilities?
First Situation: I proxy through some requests to zap and want to perform an active scan on them. Zap active scan is working on one property at a time, and this particular request requires some of the properties to be unique per request.
… Continue reading What is the best way for OWASP Zap to handle Unique Fields and API Sequences?
Just today I’m migrating some of my webpages to a new server. After a couple hours the services was ready, I set up a hosts file with my domain example.com pointing to the server address, went to my browser and navigated to the domain and … Continue reading Got requests to unpublished services. Am I being spied on?
My brother received the following website link from his friend telling him to open it:
http://toddphelps.com//dHtKFTqXovg2ump/fcbg/?cat=3&i=1778287
Unfortunately he opened it before telling me on his Phone. I have analyzed that susp… Continue reading What does this website do? [closed]
I found an option
-nocache : Disable response cache
in here
https://cirt.net/nikto2-docs/options.html
But when I tried it, I always get this error
Unknown option: nocache
I tried evaluating the NVTs with OpenVas and I can definitely say they are great. Now, I’ve seen an option that shows “Enable generic web application scanning”. But I didn’t find an option to enable it.
Any help with this?
… Continue reading How can I enable web application scanning in OpenVas? [on hold]
I’m trying to run some automated scans without stopping for long periods of time (each scan can take anywhere from 8 hours to 3 days). I currently don’t have a PC I can leave running for many days without shutting down, nor c… Continue reading Where to run long automated scans? [on hold]