Ethical Hacking: SQL Injection – If you really want to go deep, here’s five and a half hours worth of Pluralsight content
XSS
XSSposed – List of sites found to be vulnerable to XSS (including attack vector)
Dutch banks doing the Harlem Shake – Video collage of a number of Dutch banks with XSS risks being made to do the Harlem Shake via a script reflected from the URL
Fiddler extension for CSP – Massively streamlines your creation of a CSP by building the policy as you browse
SecurityHeaders.io – Everything security header related and a great place to assess your current state
Report URI – Analyse your CSP and HPKP headers plus log your exception reports there
Make any website do the Harlem Shake – if you can run this in the console against a website, they almost certainly don’t have a CSP prohibiting arbitrary content from being loaded into the site
Diceware – A popular method of creating strong pass phrases suitable for use as a password
Password managers
1Password – Still my favourite password manager; client based, runs on all devices and the keychain is syncable via multiple mechanisms
LastPass – A web based password manager (albeit with rich clients as well), one of the big players in password managers
KeePass – A popular free alternative to commercial password managers
Account management
Adult Friend Finder password reset – Enumeration done wrong; initiate a password reset for any email address and be told if they’re a member of a highly personal site
Entropay password reset – A great example of not disclosing the existence of an account (try resetting an account that isn’t registered on their system)
F-Secure’s Freedome – My VPN of choice with lots of exit nodes around the world and a promise of no logging
mycreditfile.com.au – This is an Aussie version so do find one local to you if you’re not down under, but identity protection and credit alerts is a “must have” today IMHO
Googledorks
Google Hacking Database – Great collection of Googledorks categorised by various classes of expose data
Mailinator – create temporary email addresses for testing
Shodan – Find devices connected to the web (cameras, SCADA systems, etc.)
Reitre.js – “What you require you must also retire”: Helps identify JavaScript libraries with known vulnerabilities
urlQuery.net – Analyses web-delivered malware by inspecting an individual URL and identifying malicious behaviour
Phish5 – I’m yet to use them but I hear good things; phishing attacks are enormously effective and these guys help you test your organisation for how well equipped people are to recognise the attacks
WhiteHat Security Statistics Report – Based on findings in the websites they monitor with their security products so another good evidence-based report
Trustwave Global Security Report – Another annual report driven from real world investigations (plus they use the terms “threat intelligence”, “seedy criminal underground” and “data defender” so you know it’ll be good!)
Websence Threat Report – Created by Websense Security Labs, a fairly high level overview of the threat landscape
SSL / TLS / HTTPS Is TLS fast yet – A great site debunking the myths of SSL/TLS speed cost Firesheep – A watershed moment for SSL by demonstrating the ease with which…
Scan QR code to continue reading
2015-09-29
We use browser cookies help us deliver a better website browsing experience. By clicking on the “Accept” button or continuing to view our site, you consent to the use of cookies on this site.
Leave a Reply