Thanks for the code MaXe.  And I'll have to check out ZAP tturner.

Thanks n3r.  From what you say, it seems like the labs might not be as expensive as I thought.  I'm planning to try the labs once I finish the book (but I just started), so let me know your overall thoughts once you finish them all.

Interesting, I'll have to try this against my wordpress site, thanks.

What tool(s) do you guys recommend for URL encoding/decoding?  I've been using Hackbar for Firefox, but I'm switching to Chrome, so I was wondering if anyone knew a good Chrome extension or standalone app for encoding.  I think you can do it with Burp Suite, but I just thought I'd ask in case there was some tool I didn't know about.  And if there's nothing good, I suppose I could write my own.

Thanks.

Social networking sites like twitter, facebook, etc.  The idea is instead of having each different site alert you on updates, postings, etc, this site will alert you to all of them.  It's somewhat more complex than that but that is the basic idea.

Saw this at the library a few weeks ago, might have to check it out.  Of course I'm currently reading:

1. Web Application Hacker's Handbook v2
2. Hacking: Art of Exploitation
3. Programming Ruby
4. CCNA Library
5. Metasploit: Pen Tester's Guide

And once I finish the Art of Exploitation, I have the Shellcoder's handbook to go through.  I sure am glad I don't have a paying job and have time to read all this!

Honestly, I would take the eCPPT first, and strongly read these forums in regards to the CEH.  It looks good on a resume, but from what I hear you don't get a lot of knowledge from the CEH.  The eCPPT, on the other hand is a great entry-level cert, and way cheaper than the CEH unless you don't have to take the class.

Yeah, not a fan of jail hayabusa!

Yeah I saw it yesterday.  I kinda want to try it out and see how easy it is to crack, but will have to wait until people leave the house in case I break their Internet!

This potentially looks interesting... who's going to bite the bullet and try it so they can write a review for the rest of us? 

I had that same thought this morning   I think I'll have my friend use a salted hash and then read a value from the database, if it's not garbage, then login successful.


Think about the master password like a single sign-on (SS0).  You log into the site with the password for your account, and then you have access to various data from other sites using the stored usernames/passwords for each.

The hash of the plaintext of the password is used at the decryption key for the database, so storing the hash doesn't seem that much more secure.  Although I suppose he could hash the "hashed" password and use that as a key.  Storing the password in a session variable would be a good idea, however, this way the password would have to be stored in a database somewhere in order to verify that what a user enters is correct right?  Or, I guess if it wasn't stored in a database and just used it as decryption key for the other passwords, then the login would fail if the database doesn't decrypt properly.  Is it possible to test for that?


The script is server-side.  I guess I'm not exactly sure what you're suggesting unicityd, or perhaps I wasn't clear in my description.  There is no global master password, if by global you mean one password that will unlock all the passwords for all the users on the site.  There is one password that will unlock all the passwords for a particular user on the site.  Right now, there is no way to reset a password without having to renter all the passwords, because as you said, it's not very secure to have a global master password.

Thanks guys, you've given me a lot to think about.

My friend has this website that acts as a portal to other sites, basically you log in to his site and it pulls information from various other accounts.  I'm curious as to your input on his password storage method.  He stores all the usernames and passwords for the various sites in a database encrypted with a key based on a user's master password for his site.  That seems pretty standard to me.  He didn't want to store the master password for his site in the database in case someone got access to the db and could therefore get all the passwords, which seems like a good idea.  So he has the master password stored in plaintext in the script code of the user's home page on his site.  While this doesn't seem like a great idea, it does have its advantages:

1.  If someone is able to break in and access the database, they wouldn't be able to read the passwords for the other sites because they're encrypted (assuming of course, they can't do a SQL injection or something like that).

2.  The user's master password can't be read by viewing the source because it's in a script.  The only way I can think to read the password would be if an attacker could use some form of XSS or something similar to "break" the page and get it to spit out the code.  Am I correct, or is there something else I should be wary of?  Assuming of course, that an attacker is not able to download the source code off the site.

What are your thoughts on this method?  Is there some other security issue/attack I need to take into account?  Is there some way this could be made more secure, or a different technique he should try all together?

Thanks.

I don't really like Apple products, but I might have to get one to play around with after reading this.

Thanks Tom, I found it, I'll take a look at it tonight.