Bringing Free Open Source Solutions to the People of Ohio
Desktop and web applications for your home, business, and government. Freedom to customize. Freedom from licensing fees.
-
Web Hacking Tool Kit
Posted on March 20th, 2009 by adminThis content was originally posted on mightyseek.com
When doing a manual security assessment of a web application you generally only require a web browser and a local proxy server that allows you to trap and modify requests. Aside from those basic tools, there are a few others that come in handy. This page is dedicated to the tools I use, or that I find useful.
The Starting Team
- Mozilla FireFox – If your not using this browser for your normal browsing activity… you should. There are enough security problems with IE to encourage such a choice, and if you want to do any security hacking/auditing this will become an invaluable tool. One of the major benefits of FireFox comes in the form of the great number of extensions available. Here are some useful ones
- Web Developer – This plugin adds a toolbar full of useful tools for both web developers and web hackers alike.
- SwitchProxy – Quickly and easily switch between your local proxy server and direct connections.
- LiveHTTP Headers – This allows you to quickly view the header traffic to and from your browser without the need for connecting to a local proxy server
- User Agent Switcher – This plugin allows you to quickly and easily change the User Agent string sent to the webserver. Sometimes apps are designed to generate different output based on the browser type and this could result in the execution of a different chunk of code.
- My full FireFox extensions list – There are additional extensions I use, but they don’t really belong in this list.
- Paros Proxy – This is a local proxy server that allows you to have your own man in the middle to use for recoding the full traffic between your browser and the web server. Paros allows you to “trap” the requests and responses in a way that you have to approve each and are able to modify any of the traffic before it gets to its intended destination. Note: Requires a working Java environment.
- ntoinsight and ntoweb – ntoinsight is a great crawler that will inventory the site and generate a cool report of the attackable locations on the site. Adding ntoweb allows it to execute the nikto checks and add the findings to the report.
- Cross Site Scripting cheatsheet – This appears to be the definitive list of ways to accomplish XSS and work around various input validation or complicated ways to make sure the resulting injection accomplishes what you want.
- MD5 Hash Lookup – When you discover an MD5 has, this is the fastest solution for finding its unencrypted value. If is not “decrypting”, but instead they are building up a huge database of common strings/passwords and generating the MD5 hashes and then allowing you to search the pre-generated hashes to find a possible match.
- Google – Need I explain what an awesome resource this is?
Often Benchwarmers, but good to have around
- Burp Proxy – While I prefer Paros for my own use, Burp Proxy is a great tool and is actually designed more specifically for web app hacking. Note: Requires a working Java environment.
- Burp Suite – The Burp Suite, which includes the Burp Proxy is a complete set of tools for doing attacks. It includes the following Burp tools: proxy, spider, intruder and repeater. Note: Requires a working Java environment.
- DSniff (for Windows) – Old school spoofing, intercept and monitoring communication tools.
- Ettercap (for Windows) – Similar to DSniff, but more user-friendly.
- LibWhisker – Perl library that provides functions for manipulating HTTP and HTML. Can be used to create your own hacking scripts.
- Nikto – Known vuln web server and application scanner (uses LibWhisker).
- Stunnel – Allows you to use any normal hacking script that works over HTTP but not HTTPS. Stunnel can handle the encryption layer and tunnel the traffic.
- NetCat (for Windows) – Known as “The TCP/IP swiss army knife”. This is just a generally useful networking tool.
Other lists of tools
- Top 75 Security Tools by Insecure.org – A great list of web app sec and general network sec tools.
Automated Tools that Cost
The previous entries are available and free for all. The following are professional tools that you will have to pay for.
- NTOSpider from NT OBJECTives – Web application vulnerability scanner which I lead the development of.
- Appscan by Watchfire – Another Web application vulnerability scanner.
- Web Inspect by SpiDynamics – Yet another Web application vulnerability scanner.
- Mozilla FireFox – If your not using this browser for your normal browsing activity… you should. There are enough security problems with IE to encourage such a choice, and if you want to do any security hacking/auditing this will become an invaluable tool. One of the major benefits of FireFox comes in the form of the great number of extensions available. Here are some useful ones
-
Migrating from SQL to MySQL
Posted on March 20th, 2009 by adminSwitching from a propriety database to an open source one is one of the biggest money savers on the agenda, but it is also a very daunting prospect if your company has lots of data in that database. IT IS POSSIBLE to copy the structure and all the data using the MySQL Migration Toolkit. The toolkit consists of instructional manual and software, freely available to anyone with an interest. The article below provides the details. All the links in this article lead back to the Sun Microsystems Inc. website where further support for migration can be found.
MySQL Migration Toolkit
Copyright 2005-2008 MySQL AB, 2009 Sun Microsystems, Inc.This documentation is NOT distributed under a GPL license. Use of this documentation is subject to the following terms: You may create a printed copy of this documentation solely for your own personal use. Conversion to other formats is allowed as long as the actual content is not altered or edited in any way. You shall not publish or distribute this documentation in any form or on any media, except if you distribute the documentation in a manner similar to how Sun disseminates it (that is, electronically for download on a Web site with the software) or on a CD-ROM or similar medium, provided however that the documentation is disseminated together with the software on the same medium. Any other use, such as any dissemination of printed copies or use of this documentation, in whole or in part, in another publication, requires the prior written consent from an authorized representative of Sun Microsystems, Inc. Sun Microsystems, Inc. and MySQL AB reserve any and all rights to this documentation not expressly granted above.For more information on the terms of this license, for details on how the MySQL documentation is built and produced, or if you are interested in doing a translation, please contact the Documentation Team.
If you want help with using MySQL, please visit either the MySQL Forums or MySQL Mailing Lists where you can discuss your issues with other MySQL users.
For additional documentation on MySQL products, including translations of the documentation into other languages, and downloadable versions in variety of formats, including HTML, CHM, and PDF formats, see MySQL Documentation Library.
Abstract
This is the MySQL Migration Toolkit Manual.
Document generated on: 2009-02-25 (revision: 13906)
Table of Contents [+/-]
- 1. MySQL Enterprise
- 2. Introduction to the MySQL Migration Toolkit
- 3. Installation [+/-]
- 4. Removing MySQL GUI Tools [+/-]
- 5. Upgrading MySQL GUI Tools [+/-]
- 6. Running MySQL GUI Tools [+/-]
- 7. Features of the MySQL Migration Toolkit
- 8. An Overview of the Migration Process
- 9. The Migration Process In-Depth [+/-]
-
- 9.1. Introduction
- 9.2. The Welcome Screen
- 9.3. The Configuration Type Screen
- 9.4. The Source Database Screen [+/-]
- 9.5. The Target Database Screen
- 9.6. The Connect to Server Screen
- 9.7. The Source Schema Selection Screen
- 9.8. The Reverse Engineering Screen
- 9.9. The Object Type Selection Screen [+/-]
- 9.10. The Object Mapping Screen [+/-]
- 9.11. The Meta Migration Screen
- 9.12. The Manual Editing Screen
- 9.13. The Object Creation Options Screen
- 9.14. The Creating Objects Screen
- 9.15. The Data Mapping Options Screen
- 9.16. The Bulk Data Transfer Screen
- 9.17. The Summary Screen
- 9.18. Saving the Current Application State
- 10. The Generic Runtime Environment (GRT) Shell [+/-]
- 11. Scripted Migration [+/-]
- 12. Extending The MySQL Migration Toolkit [+/-]
- 13. Preparing a Microsoft Access Database for Migration
List of Figures
- 8.1. The MySQL Migration Toolkit Migration Plan
- 9.1. The MySQL Migration Toolkit welcome screen
- 9.2. The Configuration Type screen
- 9.3. Source database – Microsoft Access
- 9.4. Source database – Microsoft SQL Server
- 9.5. Source database – Oracle
- 9.6. Oracle JDBC driver not attached
- 9.7. Source database – MySQL
- 9.8. Target Database – MySQL
- 9.9. The Connect to Servers screen
- 9.10. The Source Schema Selection screen
- 9.11. The Reverse Engineering screen
- 9.12. The Object Type Selection screen
- 9.13. The detail view of the Object Type Selection screen
- 9.14. The Add Ignore Pattern dialog
- 9.15. The Object Mapping screen
- 9.16. The Meta Migration screen
- 9.17. The Manual Editing screen
- 9.18. The Manual Editing screen – detailed view
- 9.19. The Object Creation Options screen
- 9.20. The Creating Objects screen
- 9.21. The Data Mapping Options screen
- 9.22. The Bulk Data Transfer screen
- 9.23. The Summary screen
- 10.1. The GRT shell (Windows)
- 13.1. The show section
- 13.2. The system objects
- 13.3. Granting access to the system objects