Nytro

Installers Installs Go and a text editor. Windows OSX (32 bit, 64 bit) The Book An Introduction to Programming in Go. Copyright © 2012 by Caleb Doxsey ISBN: 978-1478355823 This book is available for purchase at Amazon.com in Kindle or Paperback. It is available for free online below or in PDF form. Questions, comments, corrections or concerns can be sent to Caleb Doxsey. Table of Contents Getting Started Files and Folders The Terminal Text Editors Go Tools Your First Program How to Read a Go Program [*]Types Numbers Strings Booleans [*]Variables How to Name a Variable Scope Constants Defining Multiple Variables An Example Program [*]Control Structures For If Switch [*]Arrays, Slices and Maps Arrays Slices Maps [*]Functions Your Second Function Returning Multiple Values Variadic Functions Closure Recursion Defer, Panic & Recover [*]Pointers The * and & operators new [*]Structs and Interfaces Structs Methods Interfaces [*]Concurrency Goroutines Channels [*]Packages Creating Packages Documentation [*]Testing [*]The Core Packages Strings Input / Output Files & Folders Errors Containers & Sort Hashes & Cryptography Servers Parsing Command Line Arguments Synchronization Primitives [*]Next Steps Study the Masters Make Something Team Up Additional Resources Video tutorial on how to build tries in Go © 2014 Caleb Doxsey. Cover Art: © 2012 Abigail Doxsey Anderson. All Rights Reserved. Sursa: http://www.golang-book.com/

XPATH Assisted XXE Attacks DannyChrastil| March 17, 2015 I was in a coffee bar with some good friends of mine the other day and one of them asked me “Danny, if in one hand you have XPath Injection, and in the other XXE Processing… which would you choose?” With a wry smile I responded to him, “Put your hands together!” (miss the reference? )When testing applications which are employing XML, whether it be a web service for a mobile application or an ajax-mashup website, two of the main vulnerabilities you will see and hear about are XPath injection and XXE (XML External Entity) processing. While each of these on their own are interesting vulnerabilities, there is a unique situation that allows you to chain the two together in order to read data off a target system. XPath Injection XML documents act as a data store or database for applications. You can store large amounts of data in a hierarchical structure which can then be queried by the application the same way you would query a database. This querying protocol for XML is called XPath. Just like SQL queries can be vulnerable to injection attacks, so can XPath queries. If user-supplied data is not sanitized before being applied to the XPath query, an attacker could perform an injection attack much like the following: Query: $xquery = "//Customer[username/text()='" . $_POST[‘username’] . "' AND password/text()='" . $_POST("passwd") . "']"; Attack Request: username=danny’ or 1=1 or ‘1’=’1&password=testing Resulting XPath Query: //Customer[(username/text()='danny’ or 1=1) or (‘1’=’1' AND password/text()='testing')] This injection would match and return results for all of the customers in the XML document instead of data only belonging to ‘danny’. While this attack can be very powerful, it also has its limitations. Unlike SQL, XPath has very limited interactions with the OS and system files of the web server. There is a function in XPath called “doc()” that can read both local and remote files as long as they are XML documents. This is great if you can find a XML file on the server which contains sensitive information, but in most cases this won’t be helpful in trying to access /etc/passwd, etc. XXE Processing XXE stands for XML External Entity Processing. The XML data structure allows for elements called entities which are used as data variables to be used within the XML body. An XXE attack is when the user can control the XML structure that is sent along with the request to the server. If an attacker can create their own entity then they can perform attacks such as sensitive file disclosure, denial of server, port scanning and more. Attacker controlled XML: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foobar [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foobar>&xxe;</foobar> This attack would load the file “/etc/passwd” from the server and return the data within the <foobar> element to the user. The attacker could get creative and load other files such as CMS config files for database credentials. XPath assisted XXE XPath Injection and XXE Processing are not commonly found together within the same application. So what if you find XPath Injection within a search form on a site which doesn’t contain sensitive information or authentication. Apart from changing the results which are displayed in the search response, there isn’t much to do. If only we had XXE to help us read files off the file system. Remember that XPath “doc()” function that can only load XML documents? Because “doc()” can also load external XML documents, an attacker could force the application to load an evil XML document hosted on their own server. How does this help us read sensitive files on the target server? If the attacker creates the evil XML document to contain XXE processing that loads /etc/passwd. When this XML is loaded on the target server it will then load the file corresponding to its own file system, not the attackers. How to Protect Yourself Because this attack is chaining two vulnerabilities together, it is important that both are addressed in order to mitigate the risk. XPath Injection is similar to other injection vulnerabilities in that the best approach to remediation is by implementing thorough white list validation and input sanitization on any user supplied data; in this case, anything going into the XPath query. Theoretically, if the user supplied input is being validated before building the XPath query, then the attacker would not be able to inject the “doc()” function to load the malicious XML file; however, it would be best practice to disable the “doc()” function completely if it is not required by the application. If that is not a viable option, then the next step would be to disallow any remote calls by the “doc()” function only allowing local XML files to be loaded. Here at HP Fortify on Demand, we are working to detect this issue for all of our customers' sites and provide them detailed remediation steps. Reach out to us with any questions Sursa: http://h30499.www3.hp.com/t5/Fortify-Application-Security/XPATH-Assisted-XXE-Attacks/ba-p/6721576

Te-ai insurat ba?

Fa public. 90 days policy de la Google Project Zero e cam mult. dekeeu's Disclosure Policy: 30 days.

Adu si niste argumente daca ai facut o afirmatie.

The job's daily activities include design, development, maintenance and integration of business applications. C# will be the usual programming language, Visual Studio - the development environment and Microsoft SQL Server - the data storage engine. Responsibilities: • Building new systems with ASP.MVC , ASP.NET , SQL Server 2008/ 2012 , EntityFramework and Linq • Developing new functionality on our existing software products • Leading/mentoring IT staff and sharing knowledge through knowledge-sharing presentations • Participating in a small, experienced, energetic development team. Requirements: • Solid knowledge of C# and .NET Framework, OOP concepts, algorithms and data structures – minimum 4 years of experience • Web development experience (ASP.MVC ,ASP.NET, Java script, AJAX, CSS, JSON, JQUERY); - minimum 4 years of experience • Very good knowledge of T-SQL and relational database design; - minimum 4 years of experience • Graduate of Computer Science/Cybernetics/Information Technology/Electronics College; • Fluent in English; • Ability and willingness to work as part of a team of developers; • Learning oriented person. Additional advantage: • Active Reports, SQL Reporting Services • Java & Install Shield knowledge • Active Directory knowledge • Knowledge of WCF Web Services, WCF Data Services Bestjobs: Application Developer la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs Cine e interesat imi poate trimite CV-ul ca sa ajunga mai repede unde trebuie.

Parca aveai nevoie de DVD/USB bootabil cu Windows pentru asta.

Bla bla... Bootezi din orice distributie Live de Linux, si in partitia de Windows inlocuiesti din System32 Utilman.exe cu cmd.exe. Bootezi in Windows si apesi pe butonul din stanga jos si esti "NT Authority\System". User add + localgroup administrators sau schimbi parola de admin local si gata.

It's alive!

Fa ceva ce iti place, orice. Alege ceva de care esti pasionat. Scrie despre ceva despre care tu vrei sa inveti mai multe. Poti sa scrii de exemplu si despre "Securitatea sistemelor pornografice internationale" daca vrei.

You misspelled "nachos". On: Mobile security, root/jailbreak, Windows Phone...

[TABLE=width: 100%] [TR] [TD]Junior Information Security Engineer Position summary: Member of the Information Security team in Shared Services Platforms Operations, the successful candidate responsible for ensuring that all services operated by SSPO have appropriate security controls and that all information security risks and events are promptly reported and brought under governance. The main responsibilities are: - Information Security capabilities improvement and maintenance up to new tools development - Technical Information Security assessments, including penetration testing - Project management for information security projects - Information Security incident management - Providing advice and expertise on Information Security matters Skills, education and experience: Technical skills: - In-depth TCP-IP stack knowledge is required - Good scripting skills (at least Bash, ideally Python too) and a working knowledge of web development and technologies are required - Good (Linux) system administration knowledge, including secure configuration/hardening is required - Understanding of cloud computing and virtualization solutions is required - Entry-level Information security knowledge is needed, combined with a strong willingness to learn more - Experience with implementing and operating open source security solutions (like IDS/IPS, WAF, SIEM, honey pots, vulnerability scanners, etc.) is desirable A successful candidate should also be: - Fluent in English (mandatory), with French as a plus - Passionate about security and eager to learn (continuous learning and certifications will be part of the job) - Willing to step out of his/her comfort zone and go the extra mile - Good with people (i.e. have communication and persuasion skills) Education and experience: - A Computer Science / Telecom Bachelor’s degree is required - An information security master degree (completed or in progress) is desirable - Information security certifications such as CompTIA Security+, OSCP, C|EH, CISSP, SSCP, GPEN, GCIA, GISP, or C)PTE are a big plus - Hands-on Information security experience is desirable, but not mandatory Via (OWASP): Junior Information Security Engineer la Orange Romania SA, BUCURESTI - BestJobs [/TD] [/TR] [/TABLE] Daca sunteti interesati imi puteti da si mie CV-ul sa ajunga la cineva de acolo.

Genial. Bine, din cate imi aduc aminte nu sunt singurii care au patit astfel de lucruri.

Asta imi aduce aminte de campania pulii de pe Facebook: "Imbratiseaza un maghiar". Eu sunt de acord cu ea. Si eu as dori sa imbratisez un maghiar. Mort.

Unii fac downloadere, altii fac doar trolling.

Skills Required: - Experience with C programming on Linux/Unix environments - Experience in embedded software development, preferably for network equipments - Experience with cross compilers, debuggers, etc. - Good understanding of Ethernet and IP networking - Familiarity with SVN(or similar) and GNU tools - Knowledge of RTOS application development (VxWorks / NetBSD / Linux) - Understanding multi-process system software architectures - Experience with one or more of the following: POSIX threads, SNMP, XML - Shell Scripting - Perl, Python, PHP, HTML Cine vrea detalii sa imi dea PM.

Crezi tu? Sigur nu e de la salariu? Eu auzisem ca ar fi cam zgarciti.

Upgrade your DLL to Reflective DLL February 26, 2015 Ionut Popescu If you want to execute code stealthily on a machine and the antivirus stands in your way, you should think about avoiding the disk because this is the place where the antivirus reigns.In this scenario, you might find it useful to execute a DLL directly inside the address space of a running process without touching the disk. This will bypass the AV in a stealthy and powerful way.To achieve this, all you need to do is upgrade your DLL to Reflective DLL. Introduction The antivirus can sometimes be a significant problem during a penetration test in the post-exploitation phase. For dealing with this issue, several strategies have been proposed: making use of the command line / PowerShell executing a program (EXE) from memory executing a DLL from memory Sometimes the command line interface is severely limited.Also, by executing a program from memory you may still run into problems with the antivirus; you might get away with it by making use of a crypter (a tool that encrypts an executable, decrypting it during execution and executing it from memory) but most of them are detectable.Thus, you may find it useful to use a DLL instead of an EXE to do your job. Articol complet: Upgrade your DLL to Reflective DLL – Security Café

Il folosesti intr-un exploit.

Cacat, nu merge sa o schimb

Antivirusi cocalari. Cum cacat sa faci "semnaturi" pe baza de Mutex?

Sa ma slobozesc pe jegul lor de client. A fost foarte ok la inceput, dar apoi au inceput sa bage reclame, iar acum... Ca tot veni vorba, aveti si ceva sugestii de alternative? Eu am mai folosit BitTorrent parca, dar nici acela nu imi place. Voi ce mai folositi?

Frumoasa lista.

La multi ani ba, dai un whiskey cand ajung in Bucuresti, stii tu, ca in vremurile bune

10$ / zi => 300$ pe luna. Mai bine te angajezi la Carrefour.