HTTPリクエスト・スマグリング検出ツールの仕組みを理解する - Shikata Ga Nai
Hello there, ('ω')ノ HTTPリクエスト・スマグリング(HRS)は、フロントエンドとバックエンドの リクエスト解釈の食い違い を突いて「隠れたリクエスト」を密輸する攻撃です。2005年に最初に報告され、2019年には James Kettle(@albinowax)が DEF CON / Black Hat で再び注目させました。 ここでは、攻撃者がどのように脆弱性を検出するか、そして紹介されている Python ツールがどのように動作するのかを、初心者にもわかりやすく解説します。 なぜ時間遅延で検出できるのか? 攻撃者は「フロントとバックでリクエストの終わりをどう解釈するか」を揺さぶります。その結果、サーバーが次のリクエストを待ち続けて応答が遅れることがあります。これが検出のサインです。 代表的な2つの手法 1. CL.TE(Content-Length と Trans
GitHub - lanjelot/patator: Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors
GitHub - s0md3v/Arjun: HTTP parameter discovery suite.
Arjun can find query parameters for URL endpoints. If you don't get what that means, it's okay, read along. Web applications use parameters (or queries) to accept user input, take the following example into consideration http://api.example.com/v1/userinfo?id=751634589 This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to
1
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
SVN Extractor for Web Pentesters | Blog of Anant Shrivastava
GitHub - zakirkun/deep-eye: An advanced AI-driven vulnerability scanner and penetration testing tool that integrates multiple AI providers (OpenAI, Grok, OLLAMA, Claude) with comprehensive security testing modules for automated bug hunting, intelligent pa
GitHub - dionmulaj/Boryoku: Bōryoku is an advanced reconnaissance, enumeration, misconfiguration, and deception discovery framework tailored for red teamers, penetration testers, and security engineers. It scans, fingerprints, and analyzes services for ex
GitHub - 0xXyc/hacking-methodologyNotes: Notes, research, and methodologies for becoming a better hacker. Knowledge should be free.
GitHub - thenurhabib/openredscan: Multifunctional open redirection vulnerability scanner.
GitHub - MayankPandey01/Jira-Lens: Fast and customizable vulnerability scanner For JIRA written in Python
GitHub - knownsec/pocsuite3: pocsuite3 is an open-sourced remote vulnerability testing framework developed by the Knownsec 404 Team.
GitHub - NullArray/DorkNet: Selenium powered Python script to automate searching for vulnerable web apps.
GitHub - dylanmeca/labsecurity: Labsecurity is a tool that bundles ethical hacking python scripts into a single tool with cli interface.
GitHub - codingo/Interlace: Easily turn single threaded command line applications into a fast, multi-threaded application with CIDR and glob support.
GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Installs pentesting tools, then symlinks them to be ran seamlessly.
GitHub - maurosoria/dirsearch: Web path scanner