Nexus: Security Assessments

Dradis v2.9 - Information Sharing For Security Assessments

Read

Dradis is an open source framework to enable effective information sharing, specially during security assessments. It’s a tool specifically to help in the process of penetration testing. Penetration testing is about information:

Information discovery
Exploit useful information
Report the findings

But penetration testing is also about sharing the information you and your teammates gather. Not sharing the information available in an effective way will result in exploitation opportunities lost and the overlapping of efforts.

Dradis is a self-contained web application that provides a centralised repository of information to keep track of what has been done so far, and what is still ahead.

Features

Easy report generation.
Support for attachments.
Integration with existing systems and tools through server plugins.
Platform independent.

Traditional pentesting teams face different types of challenges regarding information sharing. Different tools provide output in different formats, different testers capture evidence in different ways, different companies report differently, etc.

If you do not use a tool to share the information, every tester will use their own notes file to keep track of their findings. Each will store this file locally, or on a shared resource, but the information will not arrive immediately to the rest of the team.

If you want to know what are the latest findings of your mate, you will need to look for the notes file. You also can try talking, but talking is not that effective when you need to know a specific cookie value or a sql query for an injection attack.

It seems reasonable that some effort must be put to increase the quality and efficiency of this process.

Download Dradis

[SecLists] Collection of multiple types of lists used during security assessments

By 0x000216

Read

0 Comments

SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.

If you have any ideas for things we should include, please send them to daniel.miessler@owasp.org or jason.haddix@owasp.org. Also note that any lists that have been meticulously assembled by someone else will only be used with permission of the creator.

This project is maintained by Daniel Miessler and Jason Haddix.

Credits:

- Ron Bowes of SkullSecurity for collaborating and including all his lists here

- Clarkson University for their research that led to the Clarkson list

- All the authors listed in the XSS with context doc, which was found on pastebin and added to by us

- Ferruh Mavitina for the begginings of the LFI Fuzz list

- Adam Muntner and for the FuzzDB content, including all authors from the FuzzDB project

- Kevin Johnson for laudnaum shells

- RSnake for fierce hostname list

Download SecLists

Security Assessment Framework - Great Resources from Pennsylvania Cyber Security Site

By 0x000216

Read

0 Comments

Awesome set of links, resources, frameworks, and a VERY NICE comprehensive CISO Toolkit (in zip format at the bottom of the page). Do yourself a favor if your doing Security Assessments and gather the resources from this site NOW.

PS - Make SURE you download the CISO Toolkit at the bottom of the page. It's a zip file and has tons of spreadsheets, documents, even a database to help in your audits.

http://cybersecurity.state.pa.us/portal/server.pt/community/security_awareness/494/security_assessment_framework/203339

Nexus

Dradis v2.9 - Information Sharing For Security Assessments

[SecLists] Collection of multiple types of lists used during security assessments

Security Assessment Framework - Great Resources from Pennsylvania Cyber Security Site

Recent Posts

Facebook