Simple Password Generator

As a part of my weekly coding challenges I decided to create simple password generating program that allows an user to create strong and unique passwords depending on the wanted legth. It's great way to improve your programming skills and problem solving. Let's see how it works!

Web for Pentester

Today we're going to continue our journey through the word of web application security - more accurately XSS exercises from PentesterLab. It's great way to practice what we have learned so far and also - good challenge. Let's jump into the first one!

Distributed Denial of Service Attack

Denial of Service attacks (DOS) are one of the simplest ways to paralylze network infrastructure of the victim. Although many attacks are connected with destroying data or stealing credentials (or any kind of sensitive information), DOS attacks can cause equally big financial loss. Properly prepared, in particular Distributed Denial of Service, can cause catastrophic harm to the victim company. In addition - even though they are one of the earliest kinds of network attacks - they are getting more and more sophisticated and harder to prevent.

Cross Site Scripting

Cross Site Scripting (XSS) is a name of one of the most common vulnerability in web applications. It's third in the list of the newest OWASP Top Ten document so it's essential to know how it works.

Browsers diplay the content of a website using a mix of HTML (HyperText Markup Language which is a core of a webpage) and JavaScript responsible for making things run in response of events (like clicking a button). Of course there are other essential elements like CSS to style the webpage but in order to perform a XSS attack we will only need HTML and Javascript.

Essence of XSS attack is to inject some malicous code (for example Javascript or other scripting language that can be opened in a browser) into the browser of client using vulnerable web application. That way, an attacker has an ability to execute any malicious code in victim's browser.

But why is it so powerul? Let's consider this example: You're running some simple WordPress website with small audience. As you don't want spammers to make comments under your posts, you enable the option to only publish comments allowed by yourself. In the meantime some malicous hacker wanted to destroy your webpage (who knows why but there are still people like that). He firstly tests if you really have to allow comments, and then injects into the comment box malicious JavaScript code that will steal cookies and send them to him. Now as you've got a notification that someone published a new comment, you open the WordPress admin page to see what someone has written. In the moment you view this comment, this malicous code steals your admin cookie and sends it to the attacker. Few hours later your site has been pawned.

Powefull, right? But enough story time for today, let's jump into some technical details.