Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
When performing a recon on a domain - understanding assets they own is very important. AWS S3 bucket permissions have been confused time and time again, and have allowed for the exposure of sensitive material.
What this tool does, is enumerate S3 bucket names using common patterns I have identified during my time bug hunting and pentesting. Permutations are supported on a root domain name using a custom wordlist. I highly recommend the one packaged within AltDNS.
The following information about every bucket found to exist will be returned:
Usage of ./goGetBucket: -d string Supplied domain name (used with mutation flag) -f string Path to a testfile (default "/tmp/test.file") -i string Path to input wordlist to enumerate -k string Keyword list (used with mutation flag) -m string Path to mutation wordlist (requires domain flag) -o string Path to output file to store log -t int Number of concurrent threads (default 100)
Throughout my use of the tool, I have produced the best results when I feed in a list (-i) of subdomains for a root domain I am interested in. E.G:
www.domain.com mail.domain.com dev.domain.com
The test file (-f) is a file that the script will attempt to store in the bucket to test write permissions. So maybe store your contact information and a warning message if this is performed during a bounty? The keyword list (-k) is concatenated with the root domain name (-d) and the domain without the TLD to permutate using the supplied permuation wordlist (-m). Be sure not to increase the threads too high (-t) - as the AWS has API rate limiting that will kick in and start giving an undesired return code.
When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.
35 year old bugs features
The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:
Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
Launch denial of Service attacks of various kinds:
Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.
Conclusion: Christian Slater is right
PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…
Over the past number of months the Board of Directors has been working on the feedback received from the community. This feedback aligned with our key strategic goals for the year. One of our key goals was to further strengthen the "P" in OWASP. To this end we have been working with the Open Security Summit to put more of a focus on improving project development and growth and hope to enable projects through events such as this.
Another goal is to strengthen our student outreach. One idea I had was to work with colleges all over the world to support our projects development as part of their internships. I wonder if there would be anyone in the community to assist in this effort by creating a Committee under the revised Committee 2.0 model - https://www.owasp.org/index.php/Governance/OWASP_Committees. To simplify things I have added a quick start guide at the beginning of the document.
Diversity is something that we hold dear to our hearts. There are a number of people in our community that have driven this initiative to enable OWASP to be a more diverse community, without naming any names, we would like to thank them and encourage more of those in and outside of the OWASP community to get involved and help OWASP grow.
Last but not least, planning for our global conferences is well under way with OWASP Global AppSec Tel Aviv coming up at the end of May – one small ask is that everyone share information on this conference in your communities,https://telaviv.appsecglobal.org.
Thanks for all your hard work.
Owen Pendlebury OWASP Vice Chairman
OWASP FOUNDATION UPDATE FROM INTERIM EXECUTIVE DIRECTOR:
For these first few months I have been focused on business operations retooling. As you know, Mailman was recently retired. There is now an online static archive of historical messages. Our goal before Q3 is to have most of our tools on managed, trusted hosted services.
We have increased our use of JIRA to manage inbound requests and last month the team closed 98.6% of service tickets within their prescribed SLA. In January it was 20.4%. This is a very big accomplishment and demonstrates our progress on this work effort. There have also been a number of back office changes that most members won't notice, but we're focused on stronger business continuity for the long term.
In addition to all our upcoming events, the staff along with some members of the community are actively prototyping how we will completely update the website this summer. This effort will not be simply cosmetic, it will be a foundational change in how we manage and publish content that we believe will better connect with our community - and more importantly help us grow. Expect more updates on this in the coming months.
The Project Showcase at Global AppSec Tel Aviv has received a great deal of interest. Anyone attending will be in for a steady stream of information on OWASP Projects. The following projects are proposed for the showcase (the actual schedule has not been developed so the order is not indicative of time slots):
Project
Presenter(s)
Glue Tool
Omer Levi Hevroni
Internet of Things
Aaron Guzman
Embedded AppSec
Aaron Guzman
Software Assurance Maturity Model (SAMM)
John DiLeo
API Security
Erez Yalon, Inon Shkedy
Mod Security Core Rule Set
Christian Folini, Tin Zaw
Automated Threats
Tin Zaw
Application Security Curriculum Project
John DiLeo
Defect Dojo
Aaron Weaver
Web Honeypot Project
Adrian Winckles
Damned Vulnerable Serverless Application
Tal Melamed
The scheduled for project reviews at Global AppSec Tel Aviv are the following:
If you are attending Global AppSec Tel Aviv 2019 and can participate in the project reviews (to be held on Monday and Tuesday prior to the conference, schedule pending), then please send an email to project-reviews@owasp.org
COMMUNITY
New OWASP Chapters Amaravathi, India Belo Horizonte, Brazil Bhopal, India Cusco, Peru Dindigul, India Kharkiv, Ukraine Meerut, India Rio de Janeiro, Brazil San Jacinto College, Texas San Pedro Sula, Honduras Seoul, Korea West Delhi, Delhi
MEMBERSHIP
We welcome the following Contributor Corporate Members
