The Ghost Operator's Signal
DeadSwitch works on a new blade – an Emacs-powered static site generator.
No analytics. No ads. No noise. Just signal.
Static sites are convenient.
They’re fast and secure.
They’re a one-way whispering.
Plain text is a sharp blade. Trusted.
The PicoCTF web exploitation tasks are fun and you can learn a lot about the web and about the tools you can use as a white hat hacker or penetration tester. Knowing about the possible security issues can help you avoid them as well as a developer. Let’s see another web security challenge!
Continue reading “PicoCTF: Cookies [CTF Write Up]”
In the following CTF game the player looks into the HTTP communication and its request methods. It is a great opportunity to learn about what happens behind the scenes during loading a web page. The game is on PicoCTF.
Continue reading “PicoCTF: GET aHEAD [CTF Write Up]”
Have you ever thought about joining the forces of white hat hackers and penetration testers? Don’t you know where to start or how to practice some skills? Though capture the flag games, or CTFs in short, are not the most life-like situations, they can help you to build a way of thinking and to learn the basic tools. PicoCTF is a great site to start as a beginner.
Continue reading “PicoCTF: “where are the robots” [CTF Write Up]”
In today’s connected world, ensuring the security of web communications is very important. Encrypting data exchanged between users and websites is a mandatory step in protecting sensitive information and privacy. Let’s Encrypt, a free, automated, and open certificate authority, coupled with Certbot, a robust tool for automatically managing SSL/TLS certificates, provides a powerful solution for making the web a safer place. In this post, we will explore the process of implementing Let’s Encrypt and Certbot on Debian Linux to enhance web security.
Continue reading “Installing and Automating Let’s Encrypt Certificates with Certbot”
NGINX, pronounced “engine-ex,” is an open-source web server software used for various purposes, including web serving, reverse proxying, caching, load balancing, and media streaming. It was initially designed to handle large numbers of concurrent connections, making it suitable for high-performance web applications.
Continue reading “How To Set Up Vhosts In The Nginx Webserver?”
Apache is a free and open-source cross-platform web server software that allows users to deploy their websites on the internet. It was launched in 1995 and has been the most popular web server on the Internet since April 1996.
A reverse proxy is a server that sits in front of web servers and forwards client requests to those web servers. It acts as an intermediary, intercepting and inspecting incoming client requests before forwarding them to the web server. Reverse proxies can provide additional levels of abstraction, control, security, and performance optimization. They are commonly used for load balancing, web acceleration, and to hide implementation details about the web servers.
SSL, or Secure Sockets Layer, is a protocol for establishing authenticated and encrypted links between networked computers. Its current iteration is called TLS (Transport Layer Security).
Continue reading “How To Configure An Apache SSL Reverse Proxy on Linux?”
Apache2 is a free and open-source web server that allows users to deploy their websites on the internet. It was first released in 1995 and is maintained by the Apache Software Foundation. Apache is fast, reliable, and secure, and it runs on a large percentage of web servers, making it one of the most popular choices for website owners, developers, and hosting providers.
Continue reading “How to set up vhosts in the Apache2 webserver?”The OWASP Top 10 is a widely recognized list of the most critical security risks for web applications. It is updated every few years based on data analysis and community feedback. The latest version, released in 2021, introduces some new categories and changes some existing ones to reflect the current threat landscape.
As developers, we should be aware of these risks and take steps to prevent them in our applications. In this blog post, we will briefly review each of the OWASP Top 10 categories and provide some best practices and resources to help us secure our code.
The internet is a vast and diverse place, but not all of it is accessible through the standard browsers and search engines that most of us use. There are hidden parts of the web that require special tools and techniques to access, and they are often referred to as the deep web and the dark web.
Web services are applications that run on the internet and provide functionality to other applications or users. They can be complex and require a lot of configuration and maintenance. Ansible is a tool that helps us automate the deployment and management of web services. It allows us to write simple and declarative scripts that describe the desired state of our web services, and then execute them on multiple servers. Ansible also handles the dependencies, errors, and changes that may occur during the automation process. By using Ansible, we can save time, reduce errors, and ensure consistency and reliability of our web services.
Welcome to the first installment of our restarted blog series, where we dive into the fascinating world of penetration testing. Today we focus on the OWASP Juice Shop application. In this series, we will explore various vulnerabilities within the Juice Shop and demonstrate how to exploit them to enhance your security testing skills. Today, we begin with one of the most common and dangerous web application vulnerabilities: the SQL injection.
Installing web servers, database services and such tools are tedious task especially when we have to repeat it over and over again, for example in a test environment.
Here are some useful playbooks that we can use to simplify the process.
Continue reading “Installing web and database servers on Debian Bullseye with Ansible playbooks”RootMe is a bite sized WEB upload form and Linux privilege escalation exercise.
Continue reading “TryHackMe | RootMe [CTF write-up]”With Burp Suite we can initiate dictionary attacks against a website. This time in this simulated attack we will brute force the login field of the Juice Shop web application. We already know the email address of an admin user, so we have to make sure to find the right password.
Important note: hacking in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!
Continue reading “How to brute force a web application password with Burp Suite? Basic dictionary attack in practice!”
Tom's IT Cafe 