finding the apache log files using burp intruder

Often when conducting security assessments it is necessary to go beyond just identifying the vulnerability, reporting it and heading out for a beer. Sometimes, like when conducting a penetration test or when asked by a client to demonstrate business risk, it is necessary to gain command line line access to the machine to show the risks associated with having a web user being able to execute commands on their machine. Often this involves getting a shell by some means but in the case of Local File Inclusion (LFI) simply finding the Apache Log location folder can be enough to start running commands on the system as the Apache service account.

Often I’ve wasted hours trying all sorts of combinations trying to find the correct location of the log files by looking up version numbers and identifying operating systems but being the true to the Pentesters code, sometimes it’s better to be lazy and just automate the damn thing. So what a buddy of mine and me did was to compile a list of common Apache … read more

is robots.txt dead? lets ask dropbox

First off I’d like to give creds to Francis Brown and Rob Ragan who presented their talk Tenacious Diggity at Defcon20 where I found out about the apparent steam-rolling of Dropbox’s robots.txt file. For as far back as I can remember, the robots.txt file has been a ban-list of places that search engine crawlers are supposed to ignore when crawling a site. Recently however there is some talk that the preferred way of disallowing crawlers is to control them using alternative methods such as metatags and javascript.

It may appear however, that Google has already decided that robots.txt is merely a bug heading towards it’s windscreen and is indexing pages that are excluded via the robots.txt as is apparent with Dropbox.

in the realm of the hackers

In The Realm of the Hackers is a 2003 Australian documentary directed by Kevin Anderson about the prominent hacker community, centered in Melbourne, Australia in the late 80’s to early 1990. The storyline is centered around the Australian teenagers going by the hacker names “Electron” and “Phoenix”, who were members of an elite computer hacking group called The Realm and hacked into some of the most secure computer networks in the world, including those of the US Naval Research Laboratory, Lawrence Livermore National Laboratory, a government lab charged with the security of the US nuclear stockpile, and NASA.

Kudos to Fuzzy for the link!