webserver – Page 14 – WindowsTechs.com

Private keys with or without password for webservices?

Posted on February 4, 2021 by JoeSlav

What is the industry standard on this matter? How do you handle the keys for your websites, apis, micro-services, etc.
If I create private keys without password they will be 100% compromised if one has access to them.
On the other hand if … Continue reading Private keys with or without password for webservices?→

why the website cant understand my request in http smuggling?

Posted on February 4, 2021 by eyal

hi I started to find bug bounty vulnerabilities and i think i found a te.cl vulnerability in a website.
i send
GET / HTTP/1.1
Transfer-Encoding: chunked
Host: subdomain.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple… Continue reading why the website cant understand my request in http smuggling?→

What are these long hexadecimal HTTP requests?

Posted on January 23, 2021 by Nick

I’m receiving long hexadecimal requests on my webserver, such as: /f588069cda088c9a0fc25509fc4ed8418fe47a447683243395e649753d2d4b87cce9c4b3cc16cb5f44068e6da475dbffa9689b9ad237b5c941bb9ad2aa6759f7e4e39ba3012202cdce328f7eccc7efa48642eec1870e… Continue reading What are these long hexadecimal HTTP requests?→

watch out for directory traversal/path traversal security problem [closed]

Posted on January 23, 2021 by JustANewCoder

After some research on the internet and read some articles/posts about directory traversal/path traversal security problem, I still don’t quite get when I need to watch out for this kind of security problem, should I always need to watch o… Continue reading watch out for directory traversal/path traversal security problem [closed]→

Web path scanner evaluation criteria [closed]

Posted on January 12, 2021 by frenkie

I recently find out that when selecting a web path scanner, the following features should be considered, in order of importance.
Functionality
If you can’t get it to run on your system, it’s no good to you.
Dictionaries
The larger the dict… Continue reading Web path scanner evaluation criteria [closed]→

Which is the fastest web path scanner? [closed]

Posted on January 11, 2021 by frenkie

There are many tools designed to brute force directories and files in webservers, for example:

https://tools.kali.org/web-applications/dirbuster
https://github.com/maurosoria/dirsearch
https://github.com/pyno/dirfy
https://github.com/OJ/g… Continue reading Which is the fastest web path scanner? [closed]→

TLS integration of webapplications

Posted on January 11, 2021 by anion

Let’s say I am a developer/maintainer of an open-source-webapplication distributed via docker.
Any server-admin can install (using docker) and host this webapplication on his server with his own domain.
So the webserver itself is "inc… Continue reading TLS integration of webapplications→

HTTP cookie behaviour in server response [closed]

Posted on January 10, 2021 by Basem

When a client initiate a HTTP request for a server using cookies, the server replies with a cookie in the set-cookie header. I would like to know is the set cookie header sent in every reply from the server or the first reply only. For exa… Continue reading HTTP cookie behaviour in server response [closed]→

Is an out-of-band request via DNS by abusing the X-Forwarded-For header exploitable

Posted on December 29, 2020 by Lieven Keersmaekers

By changing the X-Forwarded-For header in a request, I am able to have it sent an OOB interaction with Burp Collaborator requesting a DNS lookup of type A.
Is there any risk to this vulnerability or should this just be reported as an info… Continue reading Is an out-of-band request via DNS by abusing the X-Forwarded-For header exploitable→

Trigger a reverse shell on victims from a website

Posted on December 27, 2020 by Pretty_Confused

Is it possible to execute a reverse shell script (in the background) on victims’ computers when they visit my webpage without any suspicious alerts?

Continue reading Trigger a reverse shell on victims from a website→