Technique, Tool and Lecture #3

Time for another entry of Technique, Tool and Lecture!

Technique:

<!<script>alert(1)</script>

The key point is the <! which one researcher found sometimes allow bypassing AWS WAF.

Yes, that simple…

Source

Tool: 

Spiderfoot, a great tool for both semi-active and passive reconnaissance!

Here are a list of modules that I run when I am at the semi-passive reconnaissance phase of an external pen test:

• Base64
• Bing
• Binary String Extractor
• Censys
• Cookies
• E-Mail
• Errors
• File Metadata
• Google
• Historic Files
• Hosting Providers
• Interesting Files
• Junk Files
• Name Extractor
• Page Info
• Pastes
• Phone Numbers
• S3 Bucket Finder
• Shodan
• Spider
• SSL
• Strange Headers
• Web Framework
• Web Server
• Yahoo

Download Spiderfoot here

Lecture:

SirenJack: Cracking a ‘Secure’ Emergency Warning Siren System

Source

Check out all the entries of this series!

• Technique Tool and Lecture #14
• Technique Tool and Lecture #13
• Technique, Tool and Lecture #12
• Technique, Tool and Lecture #11
• Technique Tool and Lecture #10
• Technique, Tool and Lecture #9
• Technique, Tool and Lecture #8
• Technique, Tool and Lecture #7
• Technique, Tool and Lecture #6
• Technique, Tool and Lecture #5
• Technique, Tool and Lecture #4
• Technique, Tool and Lecture #3
• Technique, Tool and Lecture #2
• Technique, Tool and Lecture #1

END TRANSMISSION