Welcome to SecurityDocs

A collection of 8,050 IT security white papers, carefully curated by professionals like yourself

Antivirus Evasion : Bypassing AV with Veil

by Shashwat Chaudhary

In real life pentesting scenarios, the antivirus is an added layer of security, which we have conveniently ignored so far. However, in this tutorial we will see how we can encrypt the payload

1 comment www.kalitutorials.net Pen Testing & Audits

The Dark Web And How To Access It

by Shashwat Chaudhary

In short, dark web is part of the web which requires special software to browse, and isn't indexed by search engines. (More technical content is enclosed in <extra> tags ahead, and colored purple. Scroll through it if you just want to browse the dark web right away.)

1 comment www.kalitutorials.net Pen Testing & Audits

Has your password been leaked?

by Shashwat Chaudhary

When you create an account on a website, the website stores your registration details on it's SQL databases. Very few people, even within the company/website have direct access to the databases. In a naive world, the database would contain your plaintext passwords. However, since there are hackers doing SQL injection attacks to dump the database data, it's helpful to keep the password hashed/ encrypted.

1 comment www.kalitutorials.net Pen Testing & Audits

The Beginner’s Guide to iptables, the Linux Firewall

by Korbin Brown

Iptables is an extremely flexible firewall utility built for Linux operating systems. Whether you’re a novice Linux geek or a system administrator, there’s probably some way that iptables can be a great use to you. Read on as we show you how to configure the most versatile Linux firewall.

1 comment www.howtogeek.com Detection & Response

SQLMap with Tor for Anonymity

by Shashwat Chaudhary

In a previous tutorial, I had demonstrated how to use SqlMap to carry out Sql Injection on a website. In this tutorial, I will show you how to use Tor to add a layer of obscurity between you and the target website.

1 comment www.kalitutorials.net Pen Testing & Audits

Use Python To Detect And Bypass Web Application Firewall

by Usman Nasir

Web application firewalls are usually placed in front of the web server to filter the malicious traffic coming towards server. If you are hired as a penetration tester for some company and they forgot to tell you that they are using web application firewall than you might get into a serious mess.

1 comment www.kalitutorials.net Pen Testing & Audits

Iptables Tutorial 1.2.2

by Oskar Andreasson

This document could either be read as a reference or from start to end. It was originally written as a small introduction to iptables and to some extent netfilter, but this focus has changed over the years. It aims at being an as complete reference as possibly to iptables and netfilter and to at least give a basic and fast primer or repetition to the areas that you might need to understand. It should be noted that this document will not, nor will it be able to, deal with specific bugs inside ...

1 comment www.frozentux.net

Abusing WebVTT and CORS for fun and profit

by Keith Makan

WebVTT is a way html5 developers can display and cue text as subtitles for video formats. The grammar for WebVTT is pretty simple and as we know browsers are always willing to forgive any "weird" looking grammar in an effort to provide best effort experience for users. This post looks at ways to take advantage of WebVTT in some attack contexts in order to extract information or perform general DOM abuse.

1 comment blog.k3170makan.com Detection & Response

Cyber Security for Counties

The most recent Norton Cybercrime report found that 1.5 million adults become victims of cybercrime every day – that’s 18 per second and 556 million per year for a total financial loss of $118 billion.1 Businesses last year reported a 42 percent increase in cyber-attacks.2 Government offices are also under attack, and it’s widely perceived that cyber-threats against them have become more common, more sophisticated, and more dangerous.

1 comment www.cisecurity.org

Stealing Secrets with CSS : Cross Origin CSS Attacks

by Keith Makan

CSS Cross Origin attacks work by constructing CSS style-sheets from vulnerable pages and extracting sensitive information from these pages in the form of CSS property attributes. Vulnerable pages include anything page that allows an attacker to inject arbitrary printable unhindered alphanumeric text including braces, brackets and parenthesis; basically any subset of the ASCII table that allows you to construct valid CSS. Attacks with an even more restricted character set may be possible depen...

0 comments blog.k3170makan.com Detection & Response

Context based Entropy : How to use keyed-steganography

by Keith Makan

I have spoken to a couple of people about this idea, those who know a little bit about steg often tell me this idea is pretty cool so I'll make it a little more public, see who catches it and starts doing interesting things before i do. Not saying I came up with this first, totally happy to pass the torch if I am to do so. But I do believe this idea could revolutionize security, cryptography and introduce a level of steganography to communication channels that is as hard to break as a secret ...

1 comment blog.k3170makan.com Encryption & Authentication

Google Hacking for Penetration Testers

by Johnny Long

This 170 page document covers all advanced Google OSINT gathering techniques commonly used by penetration testers.

1 comment Pen Testing & Audits

Hack Any Android Phone : msfvenon - Metasploit payload generator

by Ayush Patidar

msfvenom is a kali linux hacking tool for android ,is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance known as msfvenom payload. Hacking With METASPLOIT

1 comment www.kalitutorials.net Pen Testing & Audits

The Vaudenay Attack : A practical example

by Keith Makan

A padding oracle is a "device" (or for historically correct purposes a stoned virgin trapped in an enclosure) that reports on the correctness of the padding of a piece of cipher-text. We're going to abuse this mechanism in order to decrypt some cipher-text encrypted under a block cipher in CBC mode.

1 comment blog.k3170makan.com

Padding Oracle Attacks : The other padding that killed your secret key

by Keith Makan

Hi folks! In this post I'd like to talk about something that's pretty old but still crops up every now and then (example). I know for most folks this is nothing new but I'd still like to have a post about this attack in my archive and also deliver a good explanation of the attack in a way that makes it easier for more people to understand (I know for new comers this attack can be a bit of a mind bending exercise :P). Also if you want to be a total infosec / crypto hipster you can refuse to ca...

1 comment blog.k3170makan.com

Linux: 25 Iptables Netfilter Firewall Examples For New SysAdmins

Linux comes with a host based firewall called Netfilter. The netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack. This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6.

1 comment www.cyberciti.biz

Iptables Essentials: Common Firewall Rules and Commands

by Mitchell Anicas

Iptables is the software firewall that is included with most Linux distributions by default. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules are useful in common, everyday scenarios. This includes iptables examples of allowing and blocking various services by port, network interface, and source IP address.

1 comment www.digitalocean.com

How to measure cybersecurity effectiveness

by Thor Olavsrud

Are you measuring the value and effectiveness of your cybersecurity efforts? Most companies around the world are failing to do so, according to a recent security measurement index benchmark survey. Without establishing the proper metrics, you're flying blind.

2 comments www.cio.com

Configure your web application pentesting lab

by Shashwat Chaudhary

In the previous tutorial, we set up our web application pentesting lab. However, it's far from ready, and we need to make some changes to get it working as per our needs. Here's the link to the previous post if you didn't follow that-

1 comment www.kalitutorials.net Pen Testing & Audits

How to build a cybersecurity team

by Blair Shiver

Cybersecurity professionals are bracing for continued attacks this year, effectively boosting their budgets by an average of 21%. These cybersecurity professionals are focused specifically on cloud infrastructure, training and educating end users, and securing mobile devices. While concerns around cybersecurity are high, more than half of midmarket companies operate with limited to no strategy at all.

1 comment www.cio.com


We'll send you a carefully curated list of the best IT security white papers to your mailbox every Friday.