Home page logo
pauldotcom logo
PaulDotCom Mailing List

General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

List Archives


Latest Posts

Re: [Security Weekly] Audit a WAF RAMELLA Sébastien (Apr 09)
Thanks all,

In my case the WAF is a blackbox, so, before starting I try to evaluate the possibilities...
My customer have web application with WAF protected and I need audited website.

My first approach was to evaluated the WAF in order to have a starting line.
I started with a frame analyzer and good old basic concept and finally I have scripted for obtain an basic whitelist.

I now seeking the way to operated with what I found but is realy...

Re: [Security Weekly] Audit a WAF Chris Campbell (Apr 08)
Are you auditing the WAF and all the associated issues (logging, alerting, signature updates, policy updates etc.) or
are you auditing the WAF policy and the application coverage that it provides?

If it's the latter, and the WAF policy is black box, then I like to see a vuln. assessment done with and without WAF
coverage to see what the difference is. If the policy is available to you then you should be looking for

[Security Weekly] Security Hype Pete Herzog (Apr 08)

I wrote a new article about security hype to launch a campaign against
the watering down of security through product placement. I'm sure many
of you feel this same way. So here it is:



Re: [Security Weekly] Audit a WAF TAS (Apr 08)

Quick things that come to my mind are

1. Read the manual of the WAF you are reviewing. It will give you a
hint of what all does that model offer and what should be your area of
focus when reviewing the WAF
2. Check what mode is the WAF running in is it blocking or inline mode.
3. What policies are configured on the WAF.
4. Check if they have made any custom policies?
5. Check what kind of alerts are there on the WAF?
6. Check how is the...

Re: [Security Weekly] Audit a WAF David Maynor (Apr 08)
Auditing a WAF isn't hard it just requires know the content the WAF is
protecting and different ways it can be encoded/obfuscated. Most web
auditing tools like Burp Suite,w3af,nikto, or skipfish can be configured to
audit WAFs. Most vulnerabilities you find will come from a gap in what the
content can do and what the WAF developer has chosen to cover. The most
basic example is encoding a char like ' that can be used in SQL Injection...

[Security Weekly] Building a Decoder for the CVE-2014-0502 Shellcode Andrew Case (Apr 08)
Hello All,

I have published a new blog post analyzing the encrypted shellcode from
the main CVE-2014-0502 attack:


It goes through some functionality of the malicious Flash file followed
by analysis of the shellcode used within the encrypted GIF.

This attack's particular use of a malicious Flash file along with an
"encrypted" GIF shows some of...

[Security Weekly] Audit a WAF RAMELLA Sébastien (Apr 08)
I read several articles about WAF. Mainly methods of bypass.
Several papers were retained my attention, he was referred to a fuzzer like tool called "Waffun".

I would like to assess the WAF through a company internal project.

Anyone can share this tool or just inform me, tips, tools similar ... or best practice for evaluate WAF.
Thanks in advance.

RAMELLA Sébastien
Intégrateur systèmes et réseaux / Consultant en...

Re: [Security Weekly] Helping users encrypt xgermx (Apr 08)
You might find some use out of this site, if you're not already familiar
with it:

On Wed, Mar 19, 2014 at 11:55 PM, Brian Milliron <Brian () ecrsecurity com>wrote:

Re: [Security Weekly] Helping users encrypt Robin Wood (Apr 08)
No full disk encryption recommendations?


[Security Weekly] Where do you get your exploit digest Jamil Ben Alluch (Mar 31)

I was wondering where everyone gets their exploit digest.

I use exploit-db and packetstorm regularly to check for exploits and
vulnerabilities, I was curious if there are any other reliable sources
where you can find known exploits as well as zero-days.

Do you follow any specific twitter accounts or blogs that keep you
constantly updated?

Best Regards,

*Jamil Ben Alluch, ing. jr, GCIH*

*Information Technology & Security...

[Security Weekly] Helping users encrypt Brian Milliron (Mar 31)
Hi all, I've put together a how-to aimed at regular users who are
concerned about online privacy and want to setup and use encryption on a
regular basis. Encryption loves company after all. When only IT geeks
use encryption, it's really not much use at all. So I tried to make
something accessible for all the Aunt Sally's of the world.


I'd be interested in any feedback...

[Security Weekly] monitoring google index George Moore (Mar 12)
Indiana University recently disclosed a breach where SSN among other things appeared on search engines such as google.

I was wondering if anyone had a recommendation on how to monitor search engine indexes. Ideally I would like email when
new pages appear for a queries like:

site:mydomain.com FTP
site:mydomain.com ssn
site:mydomain.com filetype:xls password

I recall google alerts doing this years ago but it looks like they took...

Re: [Security Weekly] Computer inventory software Tyler Robinson (Mar 10)
We have used metalan from hammersoftware its pretty good, we also have
spent a lot of time for several clients using spiceworks the community and
dev on it keeps getting better and supports multiple remote sites now so
its getting to be really applicable.

Re: [Security Weekly] Re-Branding Daniel Jorge (Mar 10)
Hey guys,

I've been working on an Android app to exchange secure SMS.
If you can, try it out!

Here the link for the Google Play store page:


2014-01-22 16:23 GMT+00:00 Robin Wood <robin () digininja org>:

Re: [Security Weekly] Computer inventory software Tim Krabec (Mar 08)
Looks cool

More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]