Security Newsletter

10-01-2001

Registered User

909, 4

Join Date: Oct 2000

Last Activity: 7 May 2009, 12:22 PM EDT

Location: Sacramento, CA

Posts: 909

Thanks Given: 0

Thanked 4 Times in 4 Posts

Security Newsletter

Bruce Schneier has released a special edition of his monthly Crypto-Gram security newsletter. This issue discusses security & technology topics relating to the September 11th attack. It is not strictly Unix related, but I think it is well worth the read as it contains a lot of well-though out, interesting information.
Recommended reading for anyone interested in techology. (it is long: approx 18 pages)

http://www.counterpane.com/crypto-gram-0109a.html

Those of you in the US, if nothing else read the last section entitled "How to Help". A quote from the article:

"We have less than 100 hours before Congress acts on legislation that will (a) significantly expand the use of Carnivore, (b) make computer hacking a form of terrorism, (c) expand electronic surveillance in routine criminal investigations, and (d) reduce government accountability."

Check it out, and post your comments here.

PxT

View Public Profile for PxT

Find all posts by PxT

WAPITI(1) User Commands WAPITI(1) NAME
wapiti - a web application vulnerability scanner. SYNOPSIS
wapiti http://server.com/base/url/ [options] DESCRIPTION
Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. OPTIONS
-s, --start <url> specify an url to start with. -x, --exclude <url> exclude an url from the scan (for example logout scripts) you can also use a wildcard (*): Example : -x "http://server/base/?page=*&module=test" or -x "http://server/base/admin/*" to exclude a directory -p, --proxy <url_proxy> specify a proxy (-p http://proxy:port/) -c, --cookie <cookie_file> use a cookie -t, --timeout <timeout> set the timeout (in seconds) -a, --auth <login%password> set credentials (for HTTP authentication) doesn't work with Python 2.4 -r, --remove <parameter_name> removes a parameter from URLs -m, --module <module> use a predefined set of scan/attack options: GET_ALL: only use GET request (no POST) GET_XSS: only XSS attacks with HTTP GET method POST_XSS: only XSS attacks with HTTP POST method -u, --underline use color to highlight vulnerable parameters in output -v, --verbose <level> set the verbosity level: 0: quiet (default), 1: print each url, 2: print every attack -h, --help print help page EFFICIENCY
Wapiti is developed in Python and use a library called lswww. This web spider library does the most of the work. Unfortunately, the html parsers module within python only works with well formed html pages so lswww fails to extract information from bad-coded webpages. Tidy can clean these webpages on the fly for us so lswww will give pretty good results. In order to make Wapiti far more efficient, you should: apt-get install python-utidylib python-ctypes AUTHOR
Copyright (C) 2006-2007 Nicolas Surribas <nicolas.surribas@gmail.com> Manpage created by Thomas Blasing <thomasbl@pool.math.tu-berlin.de> http://wapiti.sourceforge.net/ July 2007 WAPITI(1)

Cybersecurity

Security Newsletter

1 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Newsletter email block.

Discussion started by: galford

LEARN ABOUT DEBIAN

wapiti