"DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;) " read more...
Today, cybersecurity researchers shed light on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia. Bitdefender said the intelligence-gathering operations were conducted by Chafer APT (also known as APT39 or Remix Kitten), a threat actor known for its attacks on telecommunication and travel industries in the Middle East to collect personal
About Router-Exploit-Shovel Router-Exploit-Shovel is an automated application generation for Stack Overflow types on Wireless Routers. Router exploits shovel is an automated application generation tool for stack overflow types on wireless routers. The tool implements the key functions of exploits, it can adapt to the length of the data padding on the stack, generate the ROP chain, generate the encoded shellcode, and finally assemble them into a complete attack code. The user only needs to attach the attack code to the overflow location of the POC to complete the Exploit of the remote code execution. The tool supports MIPSel and MIPSeb.Run on Ubuntu 16.04 64bit. Router-Exploit-Shovel's Installation Open your Terminal and enter these commands: Usage
ROP chain generation This tool uses pattern to generate ROP chains. Extract patterns from common ROP exploitation procedure. Use regex matching to find available gadgets to fill up chain strings. Base64 encoding is to avoid duplicate character escapes. For example:
Attackblocks You can get attackblocks generated in results/attackBlocks.txt. Such as: You might like these similar tools:
Self-XSS attack using bit.ly to grab cookies tricking users into running malicious code
How it works? Self-XSS is a social engineering attack used to gain control of victims' web accounts by tricking users into copying and pasting malicious content into their browsers. Since Web browser vendors and web sites have taken steps to mitigate this attack by blocking pasting javascript tag, I figure out a way of doing that using Bit.ly, so we can create a redirect pointing to "website.com/javascript:malicious_code". If the user is tricked to run the javascript code after "website.com/" the cookies of its authenticated/logged session of website.com will be sent to the attacker.
Features: Port Forwarding using Ngrok and shortner using Bitly.com (Register for free)
Legal disclaimer: Usage of Self-XSS for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
Usage:
git clone https://github.com/thelinuxchoice/self-xss cd self-xss bash self-xss.sh
The term cyber security refers to the technologies and processes designed to defend computer system, software, networks & user data from unauthorized access, also from threats distributed through the internet by cybercriminals,terrorist groups of hacker.
Main types of cybersecurity are
Critical infrastructure security
Application security
Network Security
Cloud Security
Internet of things security.
These are the main types of cybersecurity used by cybersecurity expert to any organisation for safe and protect thier data from hack by a hacker.
Top Skills Required to become Cybersecurity Expert-
Problem Solving Skills
Communication Skill
Technical Strength & Aptitude
Desire to learn
Attention to Detail
Knowledge of security across various platforms
Knowledge of Hacking
Fundamental Computer Forensic Skill.
These skills are essential for become a cybersecurity expert.
Cyber cell and IT cell these are the department in our india which provide cybersecurity and looks into the matters related to cyber crimes to stop the crime because in this digitilization world cyber crime increasing day by day so our government of india also takes the immediate action to prevent the cybercrimes with the help of these departments and also arrest the victim and file a complain against him/her with the help of cyberlaw in our constitution.
OWASP ZAP RELEASES V2.8.0 WITH THE HEADS UP DISPLAY Heads Up Display simplifies and improves vulnerability testing for developers
London, England, 20 June 2019. OWASP™ ZAP (Open Web Application Security Project™ Zed Attack Proxy) has released a new version of its leading ZAP Project which now includes an innovative Heads Up Display (HUD) bringing security information and functionality right into the browser. Now software developers can interactively test the reliability and security of their applications in real time while controlling a wide variety of features designed to test the quality of their software.
ZAP is a free, easy to use integrated penetration testing tool. With the addition of the Heads Up Display, ZAP can be used by security professionals and developers of all skill levels to quickly and more easily find security vulnerabilities in their applications. Given the unique and integrated design of the Heads Up Display, developers and functional testers who might be new to security testing will find ZAP an indispensable tool to build secure software.
In addition to being the most popular free and open source security tools available, ZAP is also one of the most active with hundreds of volunteers around the globe continually improving and enhancing its features. ZAP provides automated scanners as well as a set of tools that allows new users and security professionals to manually identify security vulnerabilities. ZAP has also been translated into over 25 languages including French, Italian, Dutch, Turkish and Chinese.
Simon Bennetts, OWASP ZAP Project Leader commented: "This is a really important release for the project team and developers who want to build great and secure applications. The HUD is a completely new interface for ZAP and one that is unique in the industry. It shows that open source projects continue to create high-quality, new and exciting tools that deliver real value to the market - and at no cost to users."
"ZAP is the Foundation's most popular software tool," said Mike McCamon interim executive director of the OWASP Foundation. McCamon continued, "For nearly two decades OWASP continues to be a great destination for innovators to host, develop, and release software that will secure the web. Simon and the entire ZAP community deserves great recognition for their continued devotion to open source excellence."
For further information please contact: Simon Bennetts, OWASP ZAP Project Leader: simon.bennetts@owasp.orgor Mike McCamon, Interim Executive Director, mike.mccamon@owasp.comMore information
Some of you likely recall the talk back in 2016 or so of updating the OWASP Foundation website to not appear so much like a...well, a wiki. That talk was carried forward into 2017 and 2018 and, with each year, the proposal got pushed ahead as there were other, deeper projects to tackle. With the arrival of 2019 and a firm project plan under the guidance of Mike McCamon, Executive Director, we are finally moving toward a functioning, modern website that will be a whole lot less...wiki-like. The journey has been circuitous and, while we are not anywhere near complete, we have a set plan in place to bring it to fruition within the calendar year (second quarter of the year, actually).
TLDR: How Can You Help?
There are certainly ways in which you can get involved now. For instance, we are looking for a clean way to get wiki pages into GitHub markdown format for archival. I have done some work here but there are parsing issues with some of the tools. Do you know a good tool or have you done similar work? Also, are you or do you know a good designer, someone familiar with GitHub pages that can provide some useful help and feedback along the way? A Jekyll expert to help code a theme with a handful of templates would be a great addition. In addition, we could use website server admins who could help with assigning redirects to maintain search integrity. Finally, there will be a great many pages to move that we will also eventually need community involvement in.
So, What Have We Done?
Thus far we have researched various ideas for standing up a new site, including modifying the current wiki, spinning up our own web server, contracting a third party to host and build a new site, and also using existing infrastructure with our own content to launch a new face for OWASP. Our discussions led us to a familiar place, one that nearly every developer in the OWASP space is familiar with: GitHub.
In our conversations with GitHub, it became readily apparent that using the platform would be a win for the Foundation as well as GitHub. Nearly everyone who runs a project at OWASP (documentation or otherwise) uses GitHub. Because our target audience is also mostly developers we know that they are also very comfortable with the platform. And while GitHub has a number of high profile companies using their GitHub Pages, the use of the platform as the basis for the entire website of the number one non-profit foundation in the application security sector is a big draw.
We have run with that GitHub Pages idea and have spent internal manpower on a proof of concept. This proof of concept is less about the UX of the site than the functionality, the ability to utilize the authentication systems, and the ability to utilize automation to push out changes quickly.
Where Are We Now?
We are doing the final stages of website architecture. We are also planning what needs to be in the site, how the pieces will integrate with current projects and chapters, and how we might utilize the community to integrate the pieces so that we have a visually and functionally cohesive website that spans across multiple repositories.
What Is Next?
We will soon be looking for a modern website design that is responsive and clean. We will begin using the knowledge gained from our proof of concept to build out the internals of the website and then we will start implementing the highest traffic pages and administrative areas into the new platform. Once we have the big-ticket items moved we will start looking at what is left and moving over those pieces. The eventual goal would be to have a new, modern website for the future of OWASP while keeping the wiki as an archive of really useful information.
We hope you are as excited as we are about the future of the OWASP Foundation website and will join us as we move toward a modern web presence. If you have any questions or would like to volunteer your time, experience or knowledge, please contact me at harold.blankenship@owasp.com
"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain."
Personally, I agree with this, but .... But whether this is the real solution, I'm not sure. And the same applies to compromised computers. When it has been identified that malware was able to run on the computer (e.g. scheduled scan found the malware), there is no easy way to determine with 100% certainty that there is no rootkit on the computer. Thus rebuilding the computer might be a good thing to consider. For paranoids, use new hardware ;)
But rebuilding a single workstation and rebuilding a whole domain is not on the same complexity level. Rebuilding a domain can take weeks or months (or years, which will never happen, as the business will close before that).
There are countless documented methods to backdoor a computer, but I have never seen a post where someone collects all the methods to backdoor a domain. In the following, I will refer to domain admin, but in reality, I mean Domain Admins, Enterprise Admins, and Schema Admins.
Ways to backdoor a domain
So here you go, an incomplete list to backdoor a domain:
Create a new domain admin user. Easy to do, easy to detect, easy to remediate
Dump password hashes. The attacker can either crack those or just pass-the-hash. Since KB2871997, pass-the-hash might be trickier (https://technet.microsoft.com/library/security/2871997), but not impossible. Easy to do, hard to detect, hard to remediate - just think about service user passwords. And during remediation, consider all passwords compromised, even strong ones.
Logon scripts - modify the logon scripts and add something malicious in it. Almost anything detailed in this post can be added :D
Use an already available account, and add domain admin privileges to that. Reset its password. Mess with current group memberships - e.g. http://www.exploit-db.com/papers/17167/
Backdoor any workstation where domain admins login. While remediating workstations, don't forget to clean the roaming profile. The type of backdoor can use different forms: malware, local admin, password (hidden admin with 500 RID), sticky keys, etc.
Backdoor any domain controller server. For advanced attacks, see Skeleton keys
Backdoor files on network shares which are commonly used by domain admins by adding malware to commonly used executables - Backdoor factory
Change ownership/permissions on AD partitions - if you have particular details on how to do this specifically, please comment
Create a new domain user. Hide admin privileges with SID history. Easy to do, hard to detect, easy to remediate - check Mimikatz experimental for addsid
Golden tickets - easy to do, hard to detect, medium remediation
Silver tickets - easy to do, hard to detect, medium/hard remediation
The following list does not fit in the previous "instant admin" tips, but still, it can make the attackers life easier if their primary foothold has been disabled:
Backdoor recent backups - and when the backdoor is needed, destroy the files, so the files will be restored from the backdoored backup
Backdoor the Exchange server - get a copy of emails
Backdoor workstation/server golden image
Change permission of logon scripts to allow modification later
Place malicious symlinks to file shares, collect hashes via SMB auth tries on specified IP address, grab password hashes later
Backdoor remote admin management e.g. HP iLO - e.g. create new user or steal current password
Backdoor files e.g. on shares to use in SMB relay
Backdoor source code of in-house-developed software
Use any type of sniffed or reused passwords in new attacks, e.g. network admin, firewall admin, VPN admin, AV admin, etc.
Change the content of the proxy pac file (change browser configuration if necessary), including special exception(s) for a chosen domain(s) to use proxy on malicious IP. Redirect the traffic, enforce authentication, grab password hashes, ???, profit.
Create high privileged users in applications running with high privileges, e.g. MSSQL, Tomcat, and own the machine, impersonate users, grab their credentials, etc. The typical pentest path made easy.
Remove patches from servers, change patch policy not to install those patches.
Steal Windows root/intermediate CA keys
Weaken AD security by changing group policy (e.g. re-enabling LM-hashes)
Update [2015-09-27]: I found this great presentation from Jakob Heidelberg. It mentions (at least) the following techniques, it is worth to check these:
Microsoft Local Administrator Password Solution
Enroll virtual smart card certificates for domain admins
Forensics
If you have been chosen to remediate a network where attackers gained domain admin privileges, well, you have a lot of things to look for :)
I can recommend two tools which can help you during your investigation:
But guess what, not all of these problems are solved by rebuilding the AD. One has to rebuild all the computers from scratch as well. Which seems quite impossible. When someone is creating a new AD, it is impossible not to migrate some configuration/data/files from the old domain. And whenever this happens, there is a risk that the new AD will be backdoored as well.
Ok, we are doomed, but what can we do? I recommend proper log analysis, analyze trends, and detect strange patterns in your network. Better spend money on these, than on the domain rebuild. And when you find something, do a proper incident response. And good luck!
Ps: Thanks to Andrew, EQ, and Tileo for adding new ideas to this post.
In this blog series we will analyze blockchain vulnerabilities and exploit them ourselves in various lab and development environments. If you would like to stay up to date on new posts follow and subscribe to the following: Twitter: @ficti0n
As of late I have been un-naturally obsessed with blockchains and crypto currency. With that obsession comes the normal curiosity of "How do I hack this and steal all the monies?"
However, as usual I could not find any actual walk thorough or solid examples of actually exploiting real code live. Just theory and half way explained examples.
That question with labs is exactly what we are going to cover in this series, starting with the topic title above of Re-Entrancy attacks which allow an attacker to siphon out all of the money held within a smart contract, far beyond that of their own contribution to the contract.
This will be a lab based series and I will show you how to use demo the code within various test environments and local environments in order to perform and re-create each attacks for yourself.
Note: As usual this is live ongoing research and info will be released as it is coded and exploited.
If you are bored of reading already and just want to watch videos for this info or are only here for the demos and labs check out the first set of videos in the series at the link below and skip to the relevant parts for you, otherwise lets get into it:
Background Info:
This is a bit of a harder topic to write about considering most of my audience are hackers not Ethereum developers or blockchain architects. So you may not know what a smart contract is nor how it is situated within the blockchain development model. So I am going to cover a little bit of context to help with understanding.I will cover the bare minimum needed as an attacker.
A Standard Application Model:
In client server we generally have the following:
Front End - what the user sees (HTML Etc)
Server Side - code that handles business logic
Back End - Your database for example MySQL
A Decentralized Application Model:
Now with a Decentralized applications (DAPP) on the blockchain you have similar front end server side technology however
Smart contracts are your access into the blockchain.
Your smart contract is kind of like an API
Essentially DAPPs are Ethereum enabled applications using smart contracts as an API to the blockchain data ledger
DAPPs can be banking applications, wallets, video games etc.
A blockchain is a trust-less peer to peer decentralized database or ledger
The back-end is distributed across thousands of nodes in its entirety on each node. Meaning every single node has a Full "database" of information called a ledger.The second difference is that this ledger is immutable, meaning once data goes in, data cannot be changed. This will come into play later in this discussion about smart contracts.
Consensus:
The blockchain of these decentralized ledgers is synchronized by a consensus mechanism you may be familiar with called "mining" or more accurately, proof of work or optionally Proof of stake.
Proof of stake is simply staking large sums of coins which are at risk of loss if one were to perform a malicious action while helping to perform consensus of data.
Much like proof of stake, proof of work(mining) validates hashing calculations to come to a consensus but instead of loss of coins there is a loss of energy, which costs money, without reward if malicious actions were to take place.
Each block contains transactions from the transaction pool combined with a nonce that meets the difficulty requirements.Once a block is found and accepted it places them on the blockchain in which more then half of the network must reach a consensus on.
The point is that no central authority controls the nodes or can shut them down. Instead there is consensus from all nodes using either proof of work or proof of stake. They are spread across the whole world leaving a single centralized jurisdiction as an impossibility.
Things to Note:
First Note: Immutability
So, the thing to note is that our smart contracts are located on the blockchain
And the blockchain is immutable
This means an Agile development model is not going to work once a contract is deployed.
This means that updates to contracts is next to impossible
All you can really do is createa kill-switch or fail safe functions to disable and execute some actions if something goes wrong before going permanently dormant.
If you don't include a kill switch the contract is open and available and you can't remove it
Second Note:Code Is Open Source
Smart Contracts are generally open source
Which means people like ourselves are manually bug hunting smart contracts and running static analysis tools against smart contract code looking for bugs.
When issues are found the only course of action is:
Kill the current contract which stays on the blockchain
Then deploy a whole new version.
If there is no killSwitch the contract will be available forever.
Now I know what you're thinking, these things are ripe for exploitation.
And you would be correct based on the 3rd note
Third Note: Security in the development process is lacking
Many contracts and projects do not even think about and SDLC.
They rarely add penetration testing and vulnerability testing in the development stages if at all
At best there is a bug bounty before the release of their main-nets
Which usually get hacked to hell and delayed because of it.
Things are getting better but they are still behind the curve, as the technology is new and blockchain mostly developers and marketers.Not hackers or security testers.
Forth Note:Potential Data Exposure via Future Broken Crypto
If sensitive data is placed on the blockchain it is there forever
Which means that if a cryptographic algorithm is broken anything which is encrypted with that algorithm is now accessible
We all know that algorithms are eventually broken!
So its always advisable to keep sensitive data hashed for integrity on the blockchain but not actually stored on the blockchain directly
Exploitation of Re-Entrancy Vulnerabilities:
With a bit of the background out of the way let's get into the first attack in this series.
Re-Entrancy attacks allow an attacker to create a re-cursive loop within a contract by having the contract call the target function rather than a single request from auser. Instead the request comes from the attackers contract which does not let the target contracts execution complete until the tasks intended by the attacker are complete. Usually this task will be draining the money out of the contract until all of the money for every user is in the attackers account.
Example Scenario:
Let's say that you are using a bank and you have deposited 100 dollars into your bank account.Now when you withdraw your money from your bank account the bank account first sends you 100 dollars before updating your account balance.
Well what if when you received your 100 dollars, it was sent to malicious code that called the withdraw function again not lettingthe initial target deduct your balance ?
With this scenario you could then request 100 dollars, then request 100 again and you now have 200 dollars sent to you from the bank. But 50% of that money is not yours. It's from the whole collection of money that the bank is tasked to maintain for its accounts.
Ok that's pretty cool, but what if that was in a re-cursive loop that did not BREAK until all accounts at the bank were empty?
That is Re-Entrancy in a nutshell.So let's look at some code.
Example Target Code:
function withdraw(uint withdrawAmount) public returns (uint) {
Line 1: Checks that you are only withdrawing the amount you have in your account or sends back an error.
Line 2: Sends your requested amount to the address the requested that withdrawal.
Line 3: Deducts the amount you withdrew from your account from your total balance.
Line 4. Simply returns your current balance.
Ok this all seems logical.. however the issue is in Line 2 - Line 3.The balance is being sent back to you before the balance is deducted. So if you were to call this from a piece of code which just accepts anything which is sent to it, but then re-calls the withdraw function you have a problem as it never gets to Line 3 which deducts the balance from your total. This means that Line 1 will always have enough money to keep withdrawing.
Let's take a look at how we would do that:
Example Attacking Code:
function attack() public payable {
1.bankAddress.withdraw(amount);
}
2.function () public payable {
3.if (address(bankAddress).balance >= amount) {
4.bankAddress.withdraw(amount);
}
}
Line 1: This function is calling the banks withdraw function with an amount less than the total in your account
Line 2: This second function is something called a fallback function. This function is used to accept payments that come into the contract when no function is specified. You will notice this function does not have a name but is set to payable.
Line 3:This line is checking that the target accounts balance is greater than the amount being withdrawn.
Line 4:Then again calling the withdraw function to continue the loop which will in turn be sent back to the fallback function and repeat lines over and over until the target contracts balance is less than the amount being requested.
Review the diagram above which shows the code paths between the target and attacking code. During this whole process the first code example from the withdraw function is only ever getting to lines 1-2 until the bank is drained of money. It never actually deducts your requested amount until the end when the full contract balance is lower then your withdraw amount. At this point it's too late and there is no money left in the contract.
Setting up a Lab Environment and coding your Attack:
Hopefully that all made sense. If you watch the videos associated with this blog you will see it all in action.We will now analyze code of a simple smart contract banking application. We will interface with this contract via our own smart contract we code manually and turn into an exploit to take advantage of the vulnerability.
Then lets open up an online ethereum development platform at the following link where we will begin analyzing and exploiting smart contracts in real time in the video below:
Coding your Exploit and Interfacing with a Contract Programmatically:
The rest of this blog will continue in the video below where we will manually code an interface to a full smart contract and write an exploit to take advantage of a Re-Entrency Vulnerability:
Conclusion:
In this smart contract exploit writing intro we showed a vulnerability that allowed for re entry to a contract in a recursive loop. We then manually created an exploit to take advantage of the vulnerability. This is just the beginning, as this series progresses you will see other types of vulnerabilities and have the ability to code and exploit them yourself. On this journey through the decentralized world you will learn how to code and craft exploits in solidity using various development environments and test nets.
Getting Started These instructions will show you the requirements for and how to use Spray.
Prerequisites All requirements come preinstalled on Kali Linux, to run on other flavors or Mac just make sure curl(owa & lync) and rpcclient(smb) are installed using apt-get or brew.
rpcclient curl
Using Spray This script will password spray a target over a period of time It requires password policy as input so accounts are not locked out Accompanying this script are a series of hand crafted password files for multiple languages. These have been crafted from the most common active directory passwords in various languages and all fit in the complex (1 Upper, 1 lower, 1 digit) catagory.
SMB To password spray a SMB Portal, a userlist, password list, attempts per lockout period, lockout period length and the domain must be provided
Lync To password spray a lync service, a lync autodiscover url or a url that returns the www-authenticate header must be provided along with a list of email addresses
License Spray Created by Jacob Wilkin Copyright (C) 2017 Trustwave Holdings, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Acknowledgments
Thanks to insidetrust for their great statistically likely usernames project which I have included in the name-lists folder
Thanks to iditabad and vortexau for their pull request contributions to the project.
This is a post about an old vulnerability that I finally found the time to blog about. It dates back to 2014, but from a technical point of view it is nevertheless interesting: An XML parser that tries to fix structural errors in a document caused a DoS problem.
All previous posts of this series focused on XSS. This time, we present a vulnerability which is connected another Cloud Management Platform: OpenNebula. This Infrastructure-as-a-Service platform started as a research project in 2005. It is used by information technology companies like IBM, Dell and Akamai as well as academic institutions and the European Space Administrations (ESA). By relying on standard Linux tools as far as possible, OpenNebula reaches a high level of customizability and flexibility in hypervisors, storage systems, and network infrastructures. OpenNebula is distributed using the Apache-2 license.
OpenNebula offers a broad variety of interfaces to control a cloud. This post focuses on Sunstone, OpenNebula's web interface (see Figure 1).
Figure 1: OpenNebula's Sunstone Interface displaying a VM's control interface
Before OpenNebula 4.6.2, Sunstone had no Cross-Site Request Forgery (CSRF) protection. This is a severe problem. Consider an attacker who lures a victim into clicking on a malicious link while being logged in at a private cloud. This enables the attacker to send arbitrary requests to the private cloud through the victims browser. However, we could find other bugs in OpenNebula that allowed us to perform much more sophisticated attacks.
Denial-of-Service on OpenNebula-VM
At its backend, OpenNebula manages VMs with XML documents. A sample for such an XML document looks like this:
OpenNebula 4.6.1 contains a bug in the sanitization of input for these XML documents: Whenever a VM's name contains an opening XML tag (but no corresponding closing one), an XML generator at the backend automatically inserts the corresponding closing tag to ensure well-formedness of the resulting document. However, the generator outputs an XML document that does not comply with the XML schema OpenNebula expects. The listing below shows the structure that is created after renaming the VM to 'My <x> VM':
The generator closes the <x> tag, but not the <NAME> tag. At the end of the document, the generator closes all opened tags including <NAME>.
OpenNebula saves the incorrectly generated XML document in a database. The next time the OpenNebula core retrieves information about that particular VM from the database the XML parser is mixed up and runs into an error because it only expects a string as name, not an XML tree. As a result, Sunstone cannot be used to control the VM anymore. The Denial-of-Service attack can only be reverted from the command line interface of OpenNebula.
This bug can be triggered by a CSRF-attack, which means that it is a valid attack against a private cloud: By luring a victim onto a maliciously crafted website while logged in into Sunstone, an attacker can make all the victim's VMs uncontrollable via Sunstone. A video of the attack can be seen here:
"DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;) " read more...
