Blog

Penetration Testing Wiki

PentestWiki Quiz

🔝 Learn Penetration Testing for free Android app

🏆 Just published my first Android app to learn ethical hacking! PentestWiki Quiz (Still beta! Not finished yet but a good sample questions. Have a look and let me know!) https://play.google.com/store/apps/details?id=com.defensahacker.pentestwikiquiz

Scientific Notation bug bypass AWS WAF protection

AWS WAF and mod_security Apache module were affected by a scientific notation bug discovered back in 2013 that allowed to bypass the WAF to successfully exploit a SQL injection vulnerability. Find below the payload used for the attack showing the scientific notation: Executing the following command it was possible to bypass the WAF SQL injection…
Read more

🔝 How to use Nuclei for vulnerability scanning

Nuclei is a tool developed by Project Discovery team, as they say it is a Fast and customizable vulnerability scanner based on simple YAML based DSL. It is similar to Nmap NSE script engine but much more easy to develop as only uses YAML files. First of all, in order to install nuclei you need…
Read more

The Rise of the Chief Product Security Officer (CPSO)

Watch below the AppSec’s Future and the Rise of the Chief Product Security Officer by Joshua Corman and Chris Wysopal:

NIST best practices to prevent and mitigate ransomware attacks

Ransomware is a big threat to any company or corporation. In a matter of minutes all data from servers, workstation, laptops can be encrypted and most probably lost. Also worth to mention that ransomware attacks, can exploit some unpatched Windows vulnerability but most of the times are triggered by employees executing some weird attachment while…
Read more

How to scan a host with RustScan

When performing a penetration test, one of the most crucial parts is scanning and enumeration. Because if you lose any important port at this stage, you are letting go a juicy part of the attack vector to compromise the machine. Nmap is the standard-de-facto for port scanning, however it’s great to know that there are…
Read more

How to download Windows legally for FREE for your pentesting labs or malware analysis

Sometimes we need a fresh Windows to use it as a Sandbox, try some exploits, etc… the best method is to virtualize it using VirtualBox or VMware, but how to do it without not buying a license everytime 🙂 Here is the solution: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ Please note that these virtual machines expire after 90 days, but…
Read more

Note taking for the OSCP certification

Doesn’t matter if your are doing a pentest engagement for a client or getting through your OSCP certificate, note taking is a mandatory skill. You can use Microsoft Onenote as many people do, other two open-source options are: KeepNote Cherrytree Here are a couple of examples I personally use:

10 RULES TO BECOME A GREAT PENTESTER

#1 First step is to understand deeply how a computer, network works. So without this understanding you cannot understand what is happening behind the scenes. Get a good understanding of computer memory, network protocols, OS essentials,… #2 Kali linux is the standard the facto for pentesting, so you will have to master Linux commands. #3…
Read more

Pentestwiki.org joins the Brave Verified Creator program

BAT (Basic Attention Token) is a crypto token natively supported by the Brave webbrowser that blocks standard trackers and cookies and shows you a limited number of ads in a pop-up window. For each ad you can earn around 0.005 BAT and also you can send BAT to websites that are part of the BAT…
Read more