Elusive Thoughts

Intro   Elusive Thoughts are proud to present you The Teenage Mutant Ninja Turtles project.... What Teenage Mutant Ninja Turtles is? The Teenage Mutant Ninja Turtles project is three things: A Web Application payload database (heavily based on fuzzdb project for now). A Web Application error database. A Web Application payload mutator. Nowadays all high profile sites found in financial and telecommunication sector use filters to filter out all types of vulnerabilities such as SQL, XSS, XXE, Http Header Injection e.t.c. In this particular project I am going to provide you with a tool to generate Obfuscated Fuzzing Injection attacks on order to bypass badly implemented Web Application injection filters (e.t.c SQL Injections, XSS Injections e.t.c). When you test a Web Application all you need is a fuzzer and ammunition: " I saw clearly that war was upon us when I learned that my young men had been secretly buying ammunition." Chief Joseph Ammunit...

Intro This post is about describing from the security perspective how the life cycle of a Web Application should be. By saying life cycle I mean all the stages a session goes through and what are the steps to be taken on order to properly test the session. Very recently I had a discussion about session management with a colleague of mine and he seemed confused about what session management is and how it should be handled. Now if you lookup the OWASP session management cheat sheet you are going to find lots of interesting information overlapping the information presented here but, there is no information in the internet that has a complete and easy to understand guide about how to test a session. What is a Session and how should it behave A web application session is a user credential "representative" for as long as the user is logged in (well not always). In more simple words the user credentials after a successful log-in should be translated into one or more cry...

Intro This article is the second part from the "Ask and you shall receive" series. Almost a month ago I received a comment from tborland1 and he/she was kind enough to explain to me that the first article had nothing to do with bypassing IPS/IDS devices, which by the way is true. But it did explain about rapid payload delivery and it did mention that the fragroute tool (and some other tools) can be used to bypass this type of devices, so in this article I will show more specifically how to bypass the Symantec Endpoint IPS/IDS software. But the most important is that I did explain from scratch the underlying technologies and the basic concept, which by the way is that a buffer overflow is a simple string just like an SQL injection string and that you can manipulate that sting to do WHAT EVER YOU WANT with it. But before I start talking about the buffer overflow obfuscation I will talk first about the different stages a buffer over flow goes before reaching the target mach...

Introduction Cyber criminals are increasingly using automated SQL injection attacks powered by botnets and AI-assisted tooling to hit vulnerable systems. SQL injection remains the most reliable way to compromise front-end web applications and back-end databases, and it continues to hold its position in the OWASP Top 10 (ranked as A03:2021 — Injection). Despite decades of awareness, the attack surface keeps expanding — not shrinking. But why does this keep happening? The answer is straightforward: we are living in an era of industrialized hacking . SQL injection attacks are carried out by typing malformed SQL commands into front-end web application input boxes that are tied to database accounts, tricking the database into offering more access than the developer intended. The reason for the sustained prevalence of SQL injection is twofold: first, criminals are using automated and manual SQL injection attacks powered by botnets, professional hackers, and now AI-driven fuzzing tools t...