Below is the list of security related links Troy Hunt posted on September 26, 2015. http://www.troyhunt.com/2015/09/troys-ultimate-list-of-security-links.html
Also included are links posted by his readers in the Comments section.
Troy Hunt’s ultimate list of security links
SSL / TLS / HTTPS
- Is TLS fast yet – A great site debunking the myths of SSL/TLS speed cost
- Firesheep – A watershed moment for SSL by demonstrating the ease with which unprotected traffic can be intercepted and sessions hijacked
- Qualys SSL Labs – Tests a variety of attributes of the SSL implementation by pointing it at any URL
- CloudFlare – Get SSL for free on any website
- Let’s Encrypt – It’s coming, and it promises to fix the current mess that is CAs and configuring certs
- Betsy’s free wifi – Shows a young girl standing up a rogue wifi hot spot
- Chromium HSTS preload list – All the sites submitted for HTTP strict transport security preload (a depressingly small number of them)
- HTTP Shaming – Sensitive data sent insecurely? Name and shame!
DDoS
- Krista’s professional DDoS service – Video of an innocent teenager promoting a DDoS service
- Norse – Totally awesome real time map of DDoS attacks that’s absolutely mesmerising to watch
- Booter promotional video – Very professional advert for a “booter” service (complete with “Epic DDoS interface”)
- networkstresser.com – Example of a DDoS service… protected by CloudFlare… the world’s largest provider of DDoS defences…
SQL injection
- sqlmap – The tool for mounting SQL injection attacks tests against a running site
- Drupal 7 SQL injection flaw of 2014 – great example of how impactful it still is (patch it within 7 hours or you’re owned)
- Ethical Hacking: SQL Injection – If you really want to go deep, here’s five and a half hours worth of Pluralsight content
XSS
- XSSposed – List of sites found to be vulnerable to XSS (including attack vector)
- Dutch banks doing the Harlem Shake – Video collage of a number of Dutch banks with XSS risks being made to do the Harlem Shake via a script reflected from the URL
- XSS Filter Evasion Cheat Sheet – Because XSS payload filtering is almost always insufficient
- </xssed> – Heaps of XSS news and lists of vulnerabilities
Security scanners
- NetSparker – My favourite dynamic analysis tool due to ease of use and practicality (especially good for developers who may not live in security land)
- OWASP Zed Attack Proxy (ZAP) – Great tool for dynamic analysis security testing and ha a whole raft of other users too (oh – and it’s free!)
- Burp Suite – Seriously powerful with a heap of different tools and a freebie version to get you started
- Fiddler – Not a security tool per se, but I use it extensively to inspect website behaviour, tamper with requests and modify responses on the wire
- Acunetix – Popular dynamic analysis tool similar to NetSparker but is let down a bit in the usability stakes IMHO
- Nikto2 – Freebie open source app scanner sponsored by NetSparker
Exploit databases and breach coverage
- seclists.org – Heaps of exploits consolidated from various bug tracking lists
- Exploit Database – Very comprehensive list of vulnerabilities
- PunkSPIDER – Lots of vulnerabilities of all kinds all over the web (about 90M sites scanned with over 3M vulns at present)
- Data Loss DB – Good list of breaches including stats on number of records compromised
- Information is Beautiful: World’s Biggest Data Breaches – Fantastic visualisation of incidents that give a great indication of scale
Cracking software
- Hashcat – The tools for cracking hashed passwords; totally free with a great supportive community
- John the Ripper – Also top notch password cracking software with some different approaches to Hashcat
- RainbowCrack – Rainbow tables are becoming less relevant in the era of fast GPUs and tools like Hashcat, but it’s worth a mention anyway
- Aircrack-ng – For all your 802.11 WEP and WPA-PSK key cracking needs
Hacking and penetration testing tools
- Metasploit – The canonical pen testing tool; seriously advanced and enormously powerful
- BeEF – The Browser Exploitation Framework offering remote control over a target’s browsing session
- Kali Linux – All your pen testing bits in one image!
- Backtrack-linux – Fallen out of favour a bit as Kali has emerged, but still deserves a mention
- Nmap – For all your mapping of network things needs
- Wireshark – When you need to down to monitoring at the packet level
Vulnerability definitions
- The OWASP Top 10 Web Application Security Risks – The canonical categorisation of the top risks on the web today
- SANS 20 Critical Security Controls – Great consolidation of security controls presented in an easily consumable fashion
Security headers
- Fiddler extension for CSP – Massively streamlines your creation of a CSP by building the policy as you browse
- SecurityHeaders.io – Everything security header related and a great place to assess your current state
- Report URI – Analyse your CSP and HPKP headers plus log your exception reports there
- Make any website do the Harlem Shake – if you can run this in the console against a website, they almost certainly don’t have a CSP prohibiting arbitrary content from being loaded into the site
Passwords
- OWASP Password Storage Cheat Sheet – There are plenty of bad ways of doing it, this is a great resource documenting the good ways
- Jimmy Kimmel “What is your password” – video of interviewing people and engineering them into disclosing their password
- Diceware – A popular method of creating strong pass phrases suitable for use as a password
Password managers
- 1Password – Still my favourite password manager; client based, runs on all devices and the keychain is syncable via multiple mechanisms
- LastPass – A web based password manager (albeit with rich clients as well), one of the big players in password managers
- KeePass – A popular free alternative to commercial password managers
Account management
- Adult Friend Finder password reset – Enumeration done wrong; initiate a password reset for any email address and be told if they’re a member of a highly personal site
- Entropay password reset – A great example of not disclosing the existence of an account (try resetting an account that isn’t registered on their system)
- Botnet brute force attack against GitHub – I regularly use this as an example of how hard it can be to defend against brute force
Personal security
- F-Secure’s Freedome – My VPN of choice with lots of exit nodes around the world and a promise of no logging
- mycreditfile.com.au – This is an Aussie version so do find one local to you if you’re not down under, but identity protection and credit alerts is a “must have” today IMHO
Googledorks
- Google Hacking Database – Great collection of Googledorks categorised by various classes of expose data
- Google Hacking for Penetration Testers – In case you prefer books over web pages
Other tools and links
- Have I been pwned? – How could I not include this?! My own tool, now being put to particularly good use by large enterprises monitoring tens of millions of people
- Mailinator – create temporary email addresses for testing
- Shodan – Find devices connected to the web (cameras, SCADA systems, etc.)
- Reitre.js – “What you require you must also retire”: Helps identify JavaScript libraries with known vulnerabilities
- urlQuery.net – Analyses web-delivered malware by inspecting an individual URL and identifying malicious behaviour
- Phish5 – I’m yet to use them but I hear good things; phishing attacks are enormously effective and these guys help you test your organisation for how well equipped people are to recognise the attacks
- Plain Text Offenders – Been emailed your password? Name and shame!
- Kaspersky Real Time Threat Map – Very cool visualisation of the real time threat Kaspersky is seeing
- Tor Browser Bundle – Access the underwebs and browse anonymously
Security statistics reports
- Verizon Data Breach Investigations Report – The annual DBIR is based on real world security incidents and is a great resource for evidence-based security metrics
- WhiteHat Security Statistics Report – Based on findings in the websites they monitor with their security products so another good evidence-based report
- Trustwave Global Security Report – Another annual report driven from real world investigations (plus they use the terms “threat intelligence”, “seedy criminal underground” and “data defender” so you know it’ll be good!)
- Websence Threat Report – Created by Websense Security Labs, a fairly high level overview of the threat landscape
- HP Cyber Risk Report – More cyber, more statistics, more reports
Noteworthy books
- We are Anonymous – Still one of my favourite security books, a look inside Lulzsec and how it all unravelled
- Ghost in the Wires – The story of Kevin Mitnick’s early days and an absolutely fascinating read
- Data and Goliath – Just because you’re paranoid doesn’t mean they’re not after you! Excellent read on data collection by Bruce Schneier
Other things you should be reading
- What Every Programmer Absolutely, Positively Needs To Know About Encodings And Character Sets To Work With Text – Because encoding is one of those things you just need to know
Awesome people you want to read and follow
- Mikko Hypponen
- Brian Krebs
- Jeremiah Grossman
- Scott Helme
- Bruce Schneier
- Kevin Mitnick
- Swift on Security
- Brian Honan
- Graham Cluley
- Rob Graham
Links from the Comments (with some shameless and not shameless plugs)
- Troyhunt.com / @troyhunt
- http://blog.cryptographyengineering.com/ (Crypto relatively easy explained)
- http://blog.cr.yp.to/ (Also crypto, by Dan Bernstein)
- https://blog.skullsecurity.org/ (Detailed “How-to”s to a wealth of security stuff, from DNS over Hash extension to ROP)
- https://pax.grsecurity.net/docs/index.html (Especially the txt documents – that’s where a lot of the kernel security today comes from – ASLR anyone?)
- https://twitter.com/grsecurity (Twitter of one of the grsecurity devs, most interesting for Linux users)
- http://googleprojectzero.blogspot.de/ (Google’s Project Zero)
- http://www.dfir.org/?q=node/8 <- big list of “recommended Reading”
- https://strongpasswordgenerator.com/
- https://8ack.de/firstaidkit/ dont panic fist aid kit (more for devops, but some links could fit in here too)
- https://app.pluralsight.com/library/courses/aspdotnet-security-secrets-revealed/table-of-contents “ASP.NET Security Secrets Revealed” course
- http://infospectives.co.uk/
- Also open source training: https://www.edgescan.com/secure_application_dev_training_material.html
- Edgescan stats report: http://www.bccriskadvisory.com/wp-content/uploads/Edgescan-Stats-Report.pdf
- https://encryptr.org/
- http://emailsecuritygrader.com/
- IBM X-Force Exchange Threat Intel Platform – https://exchange.xforce.ibmcloud.com/
- IBM X-Force Threat Intelligence Quarterly – http://www-03.ibm.com/security/xforce/downloads.html
- Book – The Cuckoos Egg by Cliff Stoll
- https://httpsecurityreport.com/
- http://www.digitalattackmap.com/
- Password Manager – https://www.schneier.com/passsafe.html
- https://privnote.com/
- https://paragonie.com/blog/category/security-engineering
- https://www.privacytools.io/
- http://www.arachni-scanner.com/
- http://www.arachni-scanner.com/features/framework/crawl-coverage-vulnerability-detection/
- https://whatsmychaincert.com/
- https://certsimple.com/
- http://testssl.sh/
- Book – http://www.amazon.com/Stealing-Network-Complete-Collectors-Edition/dp/159749299X
- http://wpscan.org/
- https://wpvulndb.com/
Original content courtesy of Troy Hunt licensed under a Creative Commons Attribution 3.0 Unported License.
Work on this page is also licensed under a Creative Commons Attribution 3.0 Unported License.