• Register

CVE - Latest News

CAPEC - Latest News

CWE - Latest News

340+ Bug Bounty and Disclosure Programs List of World Known Bug Bounty Programs
It all started a long time ago. We don’t know who coined the term, but Google made it well-known when they launch their Bug Bounty Program in order to get more secure.After that, big companies like AT&T, Facebook, Mozilla, Paypal, Samsung, Yandex and others, realised how important Bug Bounty and Disclosure Programs are for their services, products and started implementing them as well. The advantages for companies that run Bug Bounty Program and security professionals or bug hunters are clear. Companies patch their flaws/vulnerabilities, while security specialists get paid or hall of fame for it. Commercial programs like bug bounty or reward systems but also regular security acknowledgments.  The "updated list of bug bounty and disclosure programs" impact 340+ world known security programs. UP TO DATED - Together a list of the most notable world known Bug Bounty and Disclosure Programs -   340+ COMPANY SERVICES & PRODUCTS (BUG BOUNTY & REWARDS & SWAGS OFFERED)   COMPANY SERVICES & PRODUCTS BUG BOUNTY & REWARDS SWAG[S] HALL OF FAME

logo-core-impactCORE Impact Professional is the most comprehensive software solution for assessing and testing security vulnerabilities throughout your organization.

  • endpoint systems & email users
  • mobile devices
  • network devices
  • network systems
  • web applications
  • wireless networks

 Multi-Threat Surface Investigation

CORE Impact Pro is the only solution that empowers you to replicate multi-staged attacks that pivot across systems, devices and applications, revealing how chains of exploitable vulnerabilities open paths to your organization’s mission-critical systems and data.

Determine-Exposure-to-Real-World-Threats

What-If Attack Analysis

Impact Pro empowers you to demonstrate the severity of exposures by not only replicating how an attacker would compromise and interact with vulnerable systems, but also revealing exactly which data would be at risk.

CORE Impact replicates attacks that pivot across multiple layers of infrastructure, confirming the efficacy of security controls and revealing exposed pathways to your organization’s most critical assets.

  • profile systems in a stealthy, low-impact way
  • exploit vulnerabilities across several threat vectors
  • gain administrator access through privilege escalation attacks
  • reveal the implications of an attack by interacting with compromised systems
  • pivot across attack paths spanning multiple infrastructure layers
  • generate reports containing actionable data about critical exposures
  • re-test to ensure the efficacy of patches and other remediation
  • Commercial-Grade Exploits

Only CORE Impact Pro offers a stable, up-to-date library of commercialgrade exploits and real-world testing capabilities. CORE routinely delivers 30+ new exploits and other updates each month – all professionally built and tested by in-house researchers and developers.  

  • Actionable Results and Reports
  • Impact offers the industry’s most comprehensive vulnerability reports. 
  • Confirm exploitable vulnerabilities to plan remediation efforts
  • Gain metrics that illustrate the efficacy of layered defenses  
  • Validate compliance with government and industry regulations

CORE Impact replicates attacks that pivot across multiple layers of infrastructure, confirming the efficacy of security controls and revealing exposed pathways to your organization’s most critical assets.

core-impact_vuln_mgt_cycle

Network Penetration Testing

  • Gather network information and build system profiles
  • Identify & exploit critical OS, service & application vulnerabilities
  • Replicate an attacker’s attempts to access and manipulate data after the initial compromise
  • Leverage compromised systems as beachheads to attack other network resources through VPN and proxy pivots

Client-Side Testing of End Users and Endpoints

  • Crawl sites, search engines and other sources for potential attack targets and information useful for targeting attacks 
  • Leverage a variety of templates or create custom phishing emails 
  • Use client-side exploits to test endpoint system security
  • Test security awareness with or without exploiting systems
  • Replicate multi-staged attacks by pivoting to backend networks

 Network Device Penetration Testing

  • Scan IP ranges for network devices and gather identifying information, such as manufacturer, model and OS
  • Exploit configuration vulnerabilities and verify access through configuration retrieval, password cracking, access list piercing, and interface monitoring capabilities
  • Web Application Penetration Testing
  • Identify weaknesses in web applications, web servers and associated databases – with no false positives
  • Test for all OWASP Top Ten web application vulnerabilities 
  • Dynamically generate exploits that can compromise security weaknesses in custom applications
  • Import and validate results from web vulnerability scanners to confirm exploitability and prioritize remediation
  • Pivot attacks to the web server and backend network

Mobile Device Penetration Testing

  • Identify critical exposures posed by mobile devices on your network
  • Evaluate the security of new mobile devices prior to deployment  
  • Get actionable data required to mitigate business risks
  • Access call and text logs, GPS data, and contact entries

Wireless Network Penetration Testing

  • Assess WEP, WPA-PSK and WPA2-PSK encrypted networks
  • Conduct man-in-the-middle attacks, intercept wireless transmissions, and insert exploits into relayed traffic
  • Impersonate access points to target Wi-Fi enabled systems
  • Pivot to network, web application and client-side attacks

Vulnerability Scan Validation

CORE Impact Pro can import and validate the exploitability of results from the following network and web vulnerability scanners:

  • eEye Retina® Network Security Scanner
  • GFI LANguard™
  • HP Web Inspect®
  • IBM AppScan®
  • IBM Internet Scanner®
  • Lumension® Scan
  • McAfee® Vulnerability Manager
  • nCircle IP360™
  • NTO Spider™
  • Qualys QualysGuard®
  • SAINTscanner® 
  • Tenable Nessus®

CORE Impact’s vulnerability validation capabilities provide you with actionable data for efficient remediation.

A vulnerability scanner is not required to use Impact, since it can independently identify and profile servers, services, web pages, etc. to intelligently select exploits  appropriate for your testing targets.

 

Check out Core Impact Professional www.coresecurity.com

 

logo-hp-WebInspectHP WebInspect gives security professionals and security novices alike the power and knowledge to quickly identify and validate critical, high-risk security vulnerabilities in applications running in development, QA, or production. HP WebInspect gives you the power to:

  • Increase modern Web technology coverage
  • Accelerate security through more actionable information
  • Elevate security knowledge across the business
  • Comply with legal, regulatory, and architectural requirements
  • Leverage automation to do more with less

Build an enterprise-wide application security programWith the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the functionalities to their users with a single click. In this quest for providing the customers with single click solutions, all the sensitive data is shifted on to a server which is then accessed by a web application. In most of the scenarios, web applications have direct access to the backend database and thus control valuable data. With a simple well crafted malicious payload a hacker can now get all the information from database. So it’s crucial that the web applications need to be secure enough to handle the attacks.

Securing Web applications:

It’s now apparent that securing web applications is essential for the companies to be in business. The real question is how it can be achieved. Below are some of the checks that are in place to ensure that security holes in the web application are identified:

  1. Threat Modeling deals with identifying threats, attacks, vulnerabilities, and countermeasures for your application in the design phase.
  2. Security Code Reviews come into picture at the end of development phase. The entire code is inspected to find vulnerabilities.
  3. Manual Penetration Testing is done after the application is deployed in some environment. The application is attacked and assessed for vulnerabilities.
  4. Automated Vulnerability Scanners are the tools which aid Penetration testers by identifying the vulnerabilities present.

HP WebInspect is one of the most widely used automated vulnerability scanners in the market today. It helps us to identify vulnerabilities present in the web application by taking necessary input from us. IBM Appscan Standard Edition, Acunetix Scanner, Burp scanner, Nikto are the other vulnerability scanners that are in place. For the rest of this article I will be focusing on using WebInspect to identify security vulnerabilities.

Advantages:

  • Saves time when dealing with large enterprise applications
  • Simulates the attack, shows the results and presents you with a comprehensive view.
  • It is not dependent on the underlying language.

Disadvantages:

  • It’s hard for any tool to find logical flaws, weak cryptographic storage, severity of the disclosed information etc.
  • It has a list of payloads that it uses on every web application. It does not use any wisdom in generating payloads depending on the type of application.
  • There could be false positives among the listed vulnerabilities.
  • Having said that, WebInspect scores high on many features and helps a great deal in providing scanning solutions.

Main Features in HP WebInspect 9HP WebInspect 9.10 is the latest version in use as of today. Below lines would throw an insight into various features that are available in WebInspect.

  • Presents you with tree structure: By crawling the entire application WebInspect presents you with the hierarchical tree structure of the web application and lists all the available URLS.
  • Customizable Views: While viewing the results of a scan WebInspect offers different views as per your requirement.
  • Scanning Policies: WebInspect gives you the freedom to edit and customize the scanning policies to suit your requirements and thus offers great flexibility.
  • Manual Hacking Control: With this option you can actually simulate an attack environment and see what’s really going on during a particular attack.
  • Report Generation: You can generate customizable reports by including desired sections and in desired format.
  • Remediation: WebInspect would provide a summary and the necessary fixes required to fix the vulnerabilities detected during a particular scan.
  • Web Services Scan: Web services usage is growing at a rapid pace. You can assess web service vulnerabilities by using WebInspect.

HP WebInspect is a security testing tool for web applications. This is part of HP Application Security Center product suite.

HP WebInspect includes checks for following vulnerabilities:

  • Data injection and manipulation attacks

    • Reflected cross-site scripting (XSS)

       

       

       

      Persistent XSS
    • DOM-based XSS
    • Cross-site request forgery
    • SQL injection
    • Blind SQL injection
    • Buffer overflows
    • Integer overflows
    • Log injection
    • Remote File Include (RFI) injection
    • Server Side Include (SSI) injection
    • Operating system command injection
    • Local File Include (LFI)
    • Parameter Redirection
    • Auditing of Redirect Chains

 Sessions and authentication

    • Session strength

       

       

       

      Authentication attacks
    • Insufficient authentication
    • Insufficient session expiration

Others

    • Ajax auditing
    • Flash Analysis
    • HTTP Header Auditing
    • Detection of Client-side Technologies
    • Secure Sockets Layer (SSL) certificate issues
    • SSL protocols supported
    • SSL ciphers supported
    • Server misconfiguration
    • Directory indexing and enumeration
    • Denial of service
    • HTTP response splitting
    • DOS device handle DoS
    • Canonicalization attacks
    • URL redirection attacks
    • Password auto complete
    • Cookie security
    • Custom fuzzing
    • Path manipulation—traversal
    • Path truncation
    • WebDAV auditing
    • Web services auditing
    • File enumeration
    • Information disclosure
    • Directory and path traversal
    • Spam gateway detection
    • Brute force authentication attacks

 

 

 

Check out HP WebInspect - Application Security Testing www.hp.com

 

logo-ibm-appscanIBM Rational AppScan is a Web application security testing tool that automates vulnerability assessments.

IBM Rational AppScan  is a family of web security testing and monitoring tools from the Rational Software division of IBM. AppScan is intended to test Web applications for security vulnerabilities during the development process, when it is least expensive to fix such problems. The product learns the behavior of each application, whether an off-the-shelf application or internally developed, and develops a program intended to test all of its functions for both common and application-specific vulnerabilities.

AppScan tests for common Web application vulnerabilities including Cross-Site Scripting, Buffer Overflow, flash/flex application and Web 2.0 exposure scans.

  • Supports the latest Web 2.0 technologies: Includes parsing and execution of JavaScript and Adobe® Flash applications, a deep understanding of AJAX and Adobe® Flex related protocols such as JSON, AMF and SOAP, comprehensive support for elaborate SOA environments, as well as custom configuration and reporting for Mashup and process-driven applications

  • NEW! Scans and detects embedded Malware in web properties providing further protection against cyber-attacks. Available as an AppScan eXtension

  • Customization and Extensibility Capabilities: AppScan eXtension Framework enables the user community to build and share open source add-ons

  • Simplified scan results with the Results Expert wizard: Provides advanced remediation recommendations necessary to fix issues uncovered during the scan

  • Automated Capabilities for Penetration Testers: Advanced testing utilities and the Pyscan framework complements manual testing, offering more power and efficiency

  • Regulatory Compliance Reporting: 40 out-of-the box compliance reports including PCI Data Security Standard, ISO 17799, HIPAA, ISO 27001 and Basel II

Editions

  • AppScan Standard Edition - Desktop software for automated Web application security testing environment for IT Security, auditors, and penetration testers

  • AppScan Tester Edition - An edition that integrates with IBM Rational Quality Manager to form a security testing QA environment

  • AppScan Build Edition - A version that embeds web application security testing into the build management workflow

  • AppScan Enterprise Edition - Client-server version used to scale security testing

  • AppScan OnDemand - Identifies and prioritizes Web Application Security vulnerabilities via SaaS Model

  • AppScan OnDemand Production Site Monitoring - Monitors production Web content and sites for security vulnerabilities via SaaS Model 

  • AppScan Source Edition - Prevent data breaches by locating security flaws in the source code

  • AppScan Reporting Console - Reporting add-on


Check out IBM Security AppScan @ www.ibm.com

 

  • Tab 1

    Cloud Security

    Cloud Security is the set of security protocols, methodologies and technologies that protect the availability of cloud resources and the integrity of data stored in a cloud computing environment. Cloud security differs from traditional computer security in that it is not focused on preventing access to specific machines.
    Read More About Cloud Security

     
  • Tab 2

    Mobile Security

    Mobile Security or mobile phone security has become increasingly important in mobile computing. It is of particular concern as it relates to the security of personal information now stored on smartphones. All smartphones, as computers, are preferred targets of attacks.
    Read More About Mobile Security

     
  • Tab 3

    Wireless Security

    Wireless Security is the prevention of unauthorized access or damage to computers using wireless networks. The most common types of wireless security are Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is one of the least secure forms of security.
    Read More About Wireless Security

     

Computer Forensics Analysis

Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.

Read More...

Malware Analysis

Malware, short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.

Read More...

Guests Online

We have 153 guests and no members online

CORE Impact Professional

Logo Core ImpactCORE Impact Professional is the most comprehensive software solution for assessing and testing security vulnerabilities throughout your organization.

 
 

Read More...

IBM Security AppScan

Logo IBM Rational AppScanIBM Rational AppScan Enterprise is a scalable solution to help resolve application security vulnerabilities, offering recommendations to simplify remediation.

 

Read More...

HP WebInspect

Logo - HP WebInspectHP WebInspect gives security professionals and security novices alike the power and knowledge to quickly identify and validate critical, high-risk security vulnerabilities.

 

Read More...

Acunetix WVS

logo acunetix web application securityAcunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits web applications by checking for hacking vulnerabilities. 

 

Read More...

w4rri0r - Hacking Is Not A Crime - It's an art of Awareness

\/ w4rri0r - Hacking Is Not A Crime - It's an art of Awareness \/ -  w4rri0r work in the dark, w4rri0r do what w4rri0r can, w4rri0r give what w4rri0r have, w4rri0r doubt is w4rri0r passion and w4rri0r passion is w4rri0r task. The rest is the madness of art \/ w4rri0r \/ 

\/ w4rri0r.com \/ are the great resource for information security professionals and researcher. \/ w4rri0r \/ offers a extensive variation of information security services that include SECURITY EXPLOITS (Bug or Vulnerability), SECURITY ADVISORIES (Security Alerts), SECURITY RESEARCHER TOOLBOX (Freeware, Shareware & Open-Source), SHELLCODE (Attacker Controller - Chunk of Data), SECURITY TRAINING (Educational Purpose), SECURITY NEWS (Security Recent or Important Events) and with this group you can be assured that you’re in the right hands. \/ w4rri0r gr0up \/  efforts being endorsed and appreciated by administrators, security researchers and members of various underground hacking groups and communities worldwide.

\/ w4rri0r mission \/ are to make the information systems more secure, more aware, more reliable and protect against possible security breaches.