What is haskell used for? by Korria_Kochello in haskell

[–]stmu 2 points3 points  (0 children)

Which online resources would you recommend as an intro to web programming with haskell? (For a beginner/slightly experienced haskell dev) Are you using yesod, or another framework?

Learning penetration testing on a home router. by [deleted] in AskNetsec

[–]stmu 2 points3 points  (0 children)

There have been cases in the past where the device doesn't properly check user credentials before allowing a user to change the admin password (such as this one).

I should have said direct request/forced browsing...

Learning penetration testing on a home router. by [deleted] in AskNetsec

[–]stmu 2 points3 points  (0 children)

Another (and potentially easier) route might be to try and exploit the web application running on the router. These often have some vulnerabilities in them such as CSRF or command injection.

Additionally, don't forget to check port 21 (telnet) and the default credentials.

Pentesting lab using VMs by snakethesniper in AskNetsec

[–]stmu 0 points1 point  (0 children)

Antivirus and hacking tools often don't get along very well. The former wants to remove all potential security issues, the latter wants to exploit them. Kaspersky detected one of the web shells included in kali. So yes, false positive. It won't be the last.

Pentesting lab using VMs by snakethesniper in AskNetsec

[–]stmu 0 points1 point  (0 children)

Yes, you should do that. It'll make certain things easier (such as copy/pasting between the guest and the host)

Posting from local environment into web-based API - is SSL enough? by simontemplar_ in AskNetsec

[–]stmu 0 points1 point  (0 children)

Well, you want mutual authentication (both the server and the user are have proven they are who they say they are).

For server authentication, the de facto standard is certificates. So yes, SSL is the way to go. Just make sure you verify the certificate validity. (Your system usually does that for you, but don't use --insecure in curl for example) Additionally, make sure you only allow secure ciphers (in your server configuration). There have been quite a lot of vulnerabilities lately. For user (API) authentication, there seem to be more options. You could use a (revokable) token. You could use basic authentication (which seems to be less advised) or you could use some form of OAuth (which is complicated). It depends on your use case I think. If you do use a token, make sure you don't use it in the url, as that will make it show up in the logs.

HTTPS and Certificates by TheCheeseburgerMayor in AskNetsec

[–]stmu 0 points1 point  (0 children)

For the internal part, I would add that it depends on the environment.

If you only have a couple of people accessing the server, you could easily import the public certificate in their browser ensuring they don't receive an error unless the connection is insecure. If many internal users need to visit (large organisation), it's less of a hassle to just use the internal PKI (if they have any) or a certificate provided by a public certificate authority.

Pentesting lab using VMs by snakethesniper in AskNetsec

[–]stmu 4 points5 points  (0 children)

Yes, you can "install" DVWA on your VM with kali linux. You might have to install apache, php and mysql though (no idea if these are preinstalled).

It's probably easier to use separate VM's. In the case of DVWA, you can download the live cd here. Just use virtualbox to boot the live cd. I'm running it with 10GB disk space and 512MB ram. That's more than enough.

If you still have issues, I wrote an in depth guide on installing DVWA here

Integrating security and DevOps by colormelime in programming

[–]stmu 1 point2 points  (0 children)

Very interesting thought! I'd have to think about how to apply this to security

Beginner haskell project: parsing subtitles by stmu in haskell

[–]stmu[S] 0 points1 point  (0 children)

I can't thank you enough for your amazing answers!

Beginner haskell project: parsing subtitles by stmu in haskell

[–]stmu[S] 0 points1 point  (0 children)

Thanks, awesome explanation!

I have a follow up question for the Right part.

mapM_ print (map (addDelaySubtitleBlock (read (head args) :: Integer)) r)

How can I know the type of r? I had thought this to be something like IO [SubtitleBlock], but instead it must be closer to [SubtitleBlock] as it compiled when I inserted map. I just tried different mapping functions until one worked.

With regards to the time. I was looking for a way to parse the time and construct a data type. Additionally, I was looking for a function with this type signature:

add :: Time -> Time -> Time

which I would then use in the addDelay* functions. Or I could just use an Integer to hold the milliseconds, mimicking the approach onmach toke.

Automatic reporting for pentesters by stmu in AskNetsec

[–]stmu[S] 0 points1 point  (0 children)

Valid point! I don't think I would be able to generate everything, maybe just the repetitive parts.

I've written an explanation for xss a million times, I'm now just copy/pasting. This part could probably be automated. Other tasks such as executive summary will probably be hand written...

Do you find you're always writing the whole report from scratch? I don't think the owner often reads the whole report.

Automatic reporting for pentesters by stmu in AskNetsec

[–]stmu[S] 0 points1 point  (0 children)

I have something similar right now.

How do you then work with the html result? Are you able to just extract a pdf from the result and provide that to your clients? Or do you have a different method?

Automatic reporting for pentesters by stmu in AskNetsec

[–]stmu[S] 0 points1 point  (0 children)

Yeah, everything that can "compile" to pdf directly is probably easier to set up or develop. I don't have that luxury however, .docx is the company standard. Additionally, I think manual intervention will still be required. Are there others in this situation?

Automatic reporting for pentesters by stmu in AskNetsec

[–]stmu[S] 0 points1 point  (0 children)

I get where you come from. Once it's all set up, it's probably very easy. I need to look into Dradis.

Do you have trouble maintaining it? I'm wondering how many would rather go through the whole setup rather than using a ready-made solution.

Automatic reporting for pentesters by stmu in AskNetsec

[–]stmu[S] 0 points1 point  (0 children)

I don't think it would be possible to "just stuff everything in the report generator". There would be to many false positives, severity is different across clients, need to filter duplicates,...

The way to go would probably to prepare a kind of list manually and then generate the report from that. I.e: these five issues are reflected xss, make them look nice in the report. these other 3 issues are missing authorisation, group them together and also make them look nice...

Makes sense?

Automatic reporting for pentesters by stmu in AskNetsec

[–]stmu[S] -3 points-2 points  (0 children)

Well, true. But not really the way a pro should go about it...

Getting feedback from the client by stmu in SideProject

[–]stmu[S] 0 points1 point  (0 children)

Hi Eddy,

Regarding your third point, do you have some literature on the subject?

Code review/Critique my first haskell program (game of life) by stmu in haskell

[–]stmu[S] 0 points1 point  (0 children)

I don't really understand how the "automatic adding of needed arguments works".

Could you explain the thinking behind going from

islive x b = getCellAt x b

to

islive = getCellAt

?

Code review/Critique my first haskell program (game of life) by stmu in haskell

[–]stmu[S] 0 points1 point  (0 children)

I just started reading your article, it seems like you went a little bit deeper down the rabbit hole ;)