Looks interesting with a sneak peak mohaab  Thanks for sharing this video 

Non-bitly link for those that may prefer a direct link: http://securitystreetknowledge.com/?p=557

I suggest you use another font than the one for EvE Online (If it isn't, it just looks very much like it), or at least use a font which is anti-aliased. Also, try make the index page something else than what appears to be the "about me" page. Of course, it's up to you in the end though  

Ask yourself: Who is your targeting group? And when you've found that, then look through the eyes of this group and know what you want to see. For instance, black can be read both positively and negatively, but most companies use a white background. (Clean, peace, etc.) Communities on the other hand typically uses dark or black backgrounds however this does not reflect the legality of these communities at all, but some humanoids does think that black website == illegal unfortunately.

Congratulations to the winners!  Awesome work 

Hint: Where could they possibly insert embedded information when they can't edit the Amazon page itself? (It's very limited what is possible, and you might be surprised what starts this journey, also how you reach the dead end and then might realise that you forgot to look for something you didn't anticipate  Thanks Dxxxx

I think the winners has probably already been found by now though 

About the choice of distribution, you can pretty much use whatever you want. (I didn't use BackTrack, but I had to install some tools completely on my own, but that was just fun for me none the less.)


1) Unlikely.

2) Unlikely, but knowing how exploits works on almost all types of systems is a good idea :-)

Good luck! You will need it 

1) Watch the videos => Read the document. I used the same approach and it's also what they recommend I think 

2) You don't need a huge toolbox, besides pure hacking skills in your mind. Knowing Web Application Security and e.g. PHP is a good idea too though, along with Exploit Development of Buffer Overflows (etc), Fuzzing, Protocol Attacks, etc.

3) Excellent idea, know your strengths and your weaknesses. That is one of the ways to succeed.


The most important thing is that if you don't understand something in one of the modules, take your time to research about it so you understand exactly what was covered during the course, and try to go beyond so you know more than what is covered during the course, when you're attempting the examination.

Feel free to message me on IRC, I'm usually idling there 24/7 but I'm of course also online on occasion 

Same, got stuck there after 30 minutes  I did check meta-data too but I didn't check stenography, too lazy for that really 

The Amazon page is filled with extreme amounts of information so it is quite a lot one can try to look for.

1) Most websites saves logon credentials in a database where the table name could be: users . In this table there are several columns, where id is a unique key identifying the user, and username contains the username, perhaps the one used to log onto the website with where the password field  contains the password. vBulletin stores passwords in an algorithm like this: md5(md5($password). $salt); (So, the database table 'users' also contains a field called 'salt').

2) If you mean save settings on a website and not actually the settings in Internet Explorer, then it's mostly stored in cookies and / or sessions. (www.w3schools.com). If it's the actual settings inside Internet Explorer and not for websites, it's probably stored in the registry database on your computer.

If all this sounds like gibberish or some of it does, I encourage you to Google about this, perhaps learn PHP and MySQL to understand how websites works along with the TCP protocol suite including IP, and HTTP.

Nice, I thought I had it too but I hit a dead end   

Hello there,


With so many courses and certifications available, what would be the hardest one you have ever done? I know we're all different, and on different levels of skill, area of expertise, and so forth.

But completely honest, I'd like to hear what you think was the hardest for you.

Mainly because, I'm going for the hardest courses available. I like a good challenge 

I think OSCE was insane, challenging, fun, and a very good learning experience, but I want to know if there's other practical courses and / or certifications just as challenging or close to. I know OSCP could probably be challenging too, but I was wondering about the other providers of InfoSec courses and certifications.

Hello EH'ers,


Today would be time for a good question, so I thought: How common is the HTTP Response Splitting vulnerability?

Compared to XSS (Persistent and Non-Persistent), XSRF/CSRF, SQL Injection, LFI + RFI, RCE, etc.

I have seen a few WebAppSec courses implement it in their material, but I haven't encountered this vulnerability on a live website yet. The attack itself is interesting, but personally it feels like an attack which died a long time ago, before RFI suddenly got patched pretty well in most Web Applications.

So how common is HTTP Response Splitting vulnerabilities? What is your opinion? I'd like to know since I haven't really hunted for these bugs either, but also because I want to know if it's worth using time on trying to find during a real pentest (where the source code is not available), compared to the other vulnerabilities which are easier to detect, confirm and exploit?


~ MaXe

Thanks for the info so far fellow EH'ers, I like the diversity of your replies 

It is quite intriguing so many certifications there are, for the sole purposes of proving one's skill 

Hi H1t M0nk3y,


I should note that I have never attended any of their conferences yet, but I've read most presentations, attended a Webinar (it was free) and read many of their slides, all those I found interesting including the archives.

What I found particularly interesting were the very technical and in-depth presentations, which BH focuses on. Whenever new slides are available I check them out, because I don't know why, but I associate the BH talks with high quality.

Defcon is of course, awesome too. It's cheaper and there are so many talks there, some of them are really really awesome too, but I primarily like that the presentations af BH, is suited for a 0day hackers mind and similar professionals or hobbyists who has been in the field for a long time.

I don't know about the training, but I have read about a few of their workshops and training sessions. Some of them looked really interesting, and again, very technical, at least what it says on their website. I might be completely wrong, but when I think of BH, I feel the same quality as OffSec provides.

That point of view could change, but I guess I'll have to submit a good presentation and get there to find out how it really is myself 

I should note that I was disappointed with the DC 2011 presentations a bit. At least the slides I found on the website and thereby also the topics covered etc. Not what I expected at all this time.

Anyway, I think you should ask someone who has actually attended or taught at these training sessions  They are more qualified to inform you the pro's and con's, besides that it's really expensive just going there 

I wish I could be there,  I love this conference and the talks on it are usually great  Thanks for the info none the less don