decal's security shed


internet hacking


DoD  → 4-Layer Department of Defense ARPANet Model 7-Layer Open Systems Interconnect Internet Model ←  OSI

internal


Republished & re-edited IDS/IPS Evasion Techniques


IDS/IPS Evasion for URI's

Whitepapers & Blogs


Tickling CGI Problems: A whitepaper created with LaTeX (a document prepation system created mostly by Donald Knuth) about hacking web-based and standalone scripts written in Tcl/Tk (Mar 2011 Vulnerability Research)

Software Testing: Test Design and the Project Life Cycle (Dec 2002 Collegiate Term Paper)

Measuring (not so) recent BIND nameserver patching

Combinatoric Input Set Generation

Exploit One-Liners

Vendor-Coordinated Software Security Advisories


Veritas Storage Foundation Arbitrary File Read Vulnerability

Veritas Storage Foundation Memory Disclosure Vulnerability

PartyGaming PartyPoker Malicious Update Vulnerability

Cygwin Installation and Update Process can be Subverted Vulnerability

Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability

Directory Traversal in IronWebMail
Mirror #1 - exploit-db.com

FreeBSD ircII port contains a remote overflow

Media References


PaulDotCom Security Weekly Episode 119 - Tech Segment: Software Update Security with Derek Callaway

Cenzic's SANS Contest Winner Headed to Las Vegas

Conferences as a Speaker


CanSecWest 2009  Binary Clone Wars: Software Whitelisting for Malware Prevention and Coordinated Incident Response
  Stop Malware Forever  [Whitepaper]

SOURCE Boston 2009  Binary Clone Wars: Software Whitelisting for Malware Prevention and Coordinated Incident Response
  Security Sovereignty: Binary Clone Wars  [Slides]

Derbycon 2013  Uncloaking IP Addresses on IRC
  Technical Lecture and Proof-of-Concept Demo  [Video]

Derbycon 2014  Project SCEVRON: SCan EVrything with ruby RONin
  Technical Lecture and Proof-of-Concept Demos  [Video]

BSides Delaware 2013  Uncloaking IP Addresses on IRC
High-level Description of Technique  [Video]




Spot The Fed: Online Edition

Conferences as an Attendee


DEFCON (DEFense readiness CONdition)

Black Hat Briefings USA

HOPE (Hackers On Planet Earth)

ShmooCon ("The Moose!")

Derbycon (reference to old hat style)

SummerCon (self-explanatory, traditionally small & old school)

SANS Network Security Vegas (course curriculum and commercial expo--put on by the folks from ISC)

SOURCE Boston (includes venture capitalists)

Security BSides (local infosec events)

external

Security Mailing List Archive

The Exploit Database (EDB)
An ultimate archive of exploits and vulnerable software. A great resource for penetration testers, vulnerability researchers, and security addicts alike. Our aim is to collect exploits from submittals and mailing lists and concentrate them in one, easy to navigate database.
vulnhub.com - gain practical 'hands-on' experience in digital security

it-sec-catalog.info - Gathering references to IT-security related stuff
This project has appeared as an attempt to index, summarize and to catalog links to software security related stuff. You can treat this project as one big, centralized bookmark.
OWASP SecLists Project
SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.
Internet Engineering Task Force Tools

Internet Assigned Numbers Authority

exploitdownloads.com Self-Explanatory (Aggregator of Exploit Distribution Sites)

©Dell SecureWorks, Inc.

ZDNet's Zero Day Blog

System of Systems Blog at WordPress Where I Published Many Articles

Commercially-Linked Twitter Account That I Used to Tweet From

My Current Personal Twitter Account

github.com/decal

CVE Search at Circl

#BugBounty Tweets



Hacking the Web


"The Art of the Web" (Links Page)

Monitoring Web Indexing Robots

Free malware analysis service

manualzz.com

Archive-info.com

infopig.com

Browse W3C's Open Source Software

Architecture of the Web, Volume One

SANS CWE (Common Weakness Enumeration) Top 25

HTTP/WebDAV RFC Index

The latest information on how to use the technology that runs the web: HTML, CSS, JavaScript and more.

security.txt

googleonlinesecurity.blogspot.com: The latest news and insights from Google on security and safety on the Internet

PwnWiki.IO

The Matrix of W3C Specifications (includes SOAP)

OWASP: Open Web Application Security Project

Web Application Security Consortium

CGISecurity - Web Site and Application Security News

sla.ckers.org web application security forum

ha.ckers.org web application security lab (RSnake's old abandoned site)

WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.

Wikipedia Web Security Exploits Category

Wikipedia Free web server software Category

Web-based .htpasswd File and Site Access Manager

Mozilla Security Blog

FireFox Developer Tools

MDN Web Security

Open Data Protocols - Simple Open Standards for Open Data

Extensible Business Reporting Language

Incapsula Botopedia

Searchable List of User-Agents (Spiders, Robots, Crawler, Browser, etc.)

SRI Hash Generator

HTTP Extensions for Distributed Authoring: WebDAV

modern.IE

What browser am I using?

HTML Living Standard

WHATWG HTML: The Living Standard A technical specification for Web developers

 Can I Use? Compare Browsers (CSS, HTML5, SVG, etc.)

iOS UIWebView Browser Tests

Ping, HTTP & SSL Tests + ProCSSor (cleans/organizes CSS

hackersdefence.org

support.thycotic.com

Help Desk Software powered by SmarterTrack 10.2 © 2003-2015 SmarterTools Inc.

zytrax.com/tech

packetstormsecurity.org

datalossdb.org

Apache Tomcat 7 Security Considerations

LFI Exploitation via php://input [a.k.a. how to web-shell a site]

Developing Single Page Web Applications using Java 8, Spark, MongoDB and AngularJS

Server-side: Dynamic Content, Part 1

Object RTC (ORTC) is a free, open project that enables mobile endpoints to talk to servers and web browsers with Real-Time Communications (RTC) capabilities via native and simple Javascript APIs



Fine-Grained Transclusions of Multimedia Documents in HTML

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol

uaparser.org

Unicode Transformation Formats: UTF-8 & Co.

Everthing HTML, CSS and JavaScript, the most common languages used in making web pages.

WAVE (WCAG/ARIA Guidelines Checker

Easy Checks - A First Review of Web Accessibility

Website Accessibility Evaluation Report Generator

Accessibility related add-ons for Mozilla FireFox and Thunderbird

PageSpeed Module: open-source server modules for Apache/NGINX by Google that optimize your site automatically

IDS/IPS Evasion for URI's

HTML5 tag list (refer to w3.com for the latest)

HTTP Status Codes

Universal Resource Identifiers in WWW





IETF Hypertext Transfer Protocol (HTTP/1.1) RFC's

RFC7230: Message Syntax and Routing

RFC7231: Semantics and Content

RFC7232: Conditional Requests

RFC7233: Range Requests

RFC7234: Caching

RFC7235: Authentication


IETF "DarkWeb" RFC's

RFC7685: A TLS ClientHello Padding Extension


IETF DNS RFC's


IETF "DarkWeb" RFC's

RFC7685: A TLS ClientHello Padding Extension


IETF DNS RFC's

RFC7686: The ".onion" Special-Use Domain Name

Browser Hacking

browserling: live interactive cross-browser testing from your browser

Beautify, unpack, deobfuscate JavaScript and HTML, make JSON/JSONP readable, etc.

Spreadsheet comparison of security issues in major browser versions

Web Browser Security Checklist for Identity Theft Protection

Opera: Security specifications support in Opera Presto

Heap Feng Shui in JavaScript (Alexander Sotirov at BlackHat Europe 2007)

PURL: Persistent Uniform Resource Locators





Default Passwords


Top 500 Passwords

PHENOELIT-US.ORG

Default Passwords | CIRT.net

Default Router Passwors

Default passwords list

Virus.Org Default Password Database

passwordsdatabase.com

Router IP Address - Default: IP Address, Username, & Password

haveibeenpwned.com





Password Generators

Perfect Passwords | GRC's Ultra High Security Password Generator

Random Password Generator

Javascript 8-character pronouncable password generator

Strong Password Generator

Cygnius Password Strength Test

CertExam: Switch Simulator Labs

qemu.org

TCP/IP Protocols


The Art of Unspoofing

BIND 8.3.3 Unspoofing Patch

BIND 4.9.9 Unspoofing Patch

Cisco Secure PIX Firewall Version 5.0 Command Reference

ACME Bandwidth Chart

Internet Assigned Numbers Authority: Protocol Registries

Numbering Resource Organization

Provider of Internationalized Domain Name Solutions

amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin

LBNL's Network Research Group

Official IETF RFC's (Internet standards proposals.)

arny's unix / net / hack page

USENET newsgroup name list generated by  tin -rnq  on 19-Jul-2012

The Honeynet Project

Mailing list thread about AS 7007 Incident!

As seen in the presentation "Hide and Seek: Post-Exploitation Style" from ShmooCon 2013

SCADA Security Mailing List Archive

UPnP Database

Pen Testing Cheat Sheets and Tools

toolswatch: Hackers Arsenal

SecTools, home of NMap

BindShell

ImmunitySec Resources: Free Software

The Packetfactory RFC SourceBook

Shiar's Cheat Sheets

Underscores in DNS - and lots of other DNS idiosyncrasies

Apache Rivet and Websh - from recent Tcl-Apache integration efforts

Troubleshooting SSL/TLS communications using network dumps

IPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed

A blog based on community contributed data about MicroTik RouterOS

The Measurement Factory

The HTTP/1.1 verb PUT under Apache: Safe or Dangerous?

Stanford Computer Security Laboratory

Connected: The Internet Encyclopedia @ freesoft.org
MH & xmh: Email for Users & Programmers

Collaboration and Reporting Framework for InfoSec Teams

bbs.77169.com

bgp-stats Mailing List Archive

CSE545 Lecture Slides from PSU: Interdomain Routing Security

Cisco Enterprise Campus Infrastructure Best Practices Guide

BGP Routing Table Analysis Reports from 1994 to Present

UDP port forwarding with socat

RFC2663: IP Network Address Translator (NAT) Terminology and Considerations"

RFC4301: Security Architecture for the Internet Protocol

Clarifications and Implementation Notes for DNS Security (DNSSEC)

Root DNSSEC - Information about DNSSEC for the Root Zone

This is psyced, a scalable multi-protocol multi-casting chat, messaging and social server solution to build decentralized chat networks upon, released as open source. Powerful, not bloated, not too hard to get into.

NTP Architecture, Protocol and Algorithms

NTP Security Algorithms

NTP Security Protocol

NTP Security Model

RFC5906: Network Time Protocol Version 4: Autokey Specification

Avoid RFC 2317 style delegation of "in-addr.arpa."

Wikipedia Routing Algorithms Category

Wikipedia Onion Routing Article

IP Hijacking Wikipedia Article

CISSP Glossary Flash Cards

The Computer Technology Documentation Project

Note: The DNS section is excellent.



(D)DoS Attacks

Wikipedia Denial-of-service Attacks Category


"Big Data" Structures & Text Formatting


Structured Abstracts in MEDLINE

internetcensus2012.bitbucket.org




[Valid XHTML 1.0 Transitional]  [Valid CSS!]    [Unikbd Enkbdd]