Elusive Thoughts

Introduction The reason for this blog post is to advertise my book. First of all I would like to thank all the readers of my blog for the support and feedback on making my articles better. After 12+ years in the penetration testing industry, the time has come for me to publish my book and tranfer my knowledge to all the intersted people that like hacking and want to learn as much as possible. Also at the end of the blog you will find a sample chapter. About The Author Gerasimos is a security consultant holding a MSc in Information Security, a CREST (CRT), a CISSP, an ITILv3, a GIAC GPEN and a GIAC GAWPT accreditation. Working alongside diverse and highly skilled teams Gerasi- mos has been involved in countless comprehensive security tests and web application secure development engagements for global web applications and network platforms, counting more than 14 years in the web application and application security architecture. Gerasimos further progressing in h...

Introduction Nowadays hacking, as already mentioned in my previous articles, has been industrialized, meaning that professional hackers are constantly hired to make money out of practically anything and therefore all Web Application vulnerabilities have to be understood and defeated. This article is going to talk about what Cross Site Request Forgery (CSRF) is, explain how can someone perform a successful CSRF attack and describe how to amplify a CSRF attack (e.g. combine CSRF with other vulnerabilities). CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated (simplistically speaking). With a little help from social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of a normal user. If the targeted end user is the administ...

Intro   Elusive Thoughts are proud to present you The Teenage Mutant Ninja Turtles project.... What Teenage Mutant Ninja Turtles is? The Teenage Mutant Ninja Turtles project is three things: A Web Application payload database (heavily based on fuzzdb project for now). A Web Application error database. A Web Application payload mutator. Nowadays all high profile sites found in financial and telecommunication sector use filters to filter out all types of vulnerabilities such as SQL, XSS, XXE, Http Header Injection e.t.c. In this particular project I am going to provide you with a tool to generate Obfuscated Fuzzing Injection attacks on order to bypass badly implemented Web Application injection filters (e.t.c SQL Injections, XSS Injections e.t.c). When you test a Web Application all you need is a fuzzer and ammunition: " I saw clearly that war was upon us when I learned that my young men had been secretly buying ammunition." Chief Joseph Ammunit...

Introduction Cyber criminals are increasingly using automated SQL injection attacks powered by botnets and AI-assisted tooling to hit vulnerable systems. SQL injection remains the most reliable way to compromise front-end web applications and back-end databases, and it continues to hold its position in the OWASP Top 10 (ranked as A03:2021 — Injection). Despite decades of awareness, the attack surface keeps expanding — not shrinking. But why does this keep happening? The answer is straightforward: we are living in an era of industrialized hacking . SQL injection attacks are carried out by typing malformed SQL commands into front-end web application input boxes that are tied to database accounts, tricking the database into offering more access than the developer intended. The reason for the sustained prevalence of SQL injection is twofold: first, criminals are using automated and manual SQL injection attacks powered by botnets, professional hackers, and now AI-driven fuzzing tools t...