Information Security Education Resources

DVWA Part 2: Exploiting Cross-Site Scripting (XSS) Vulnerabilities

For the second installment of our DVWA series, we are going to look at cross-site scripting (XSS) vulnerabilities and how to exploit them in our Damn Vulnerable Web Application. If you missed part one of this series that shows you how to set up DVWA, you can check it out here. What is XSS? Cross-site scripting (from here on out, referred to as XSS) is an injection attack in which malicious scripts are injected into a…

Continue reading

Information Security Education Resources

Installing Damn Vulnerable Web Application (DVWA) Using XAMPP in Kali Linux

In order to learn web app exploitation safely (and legally), it is useful to have practice applications to run on your local environment. Damn Vulnerable Web Application (DVWA) was created for just this purpose. DVWA contains many common web vulnerabilities such as SQL injection, XSS, and more that allow you to hone your web hacking skills. In this article, we will go over how to install DVWA using XAMPP web server in Kali Linux. Downloading…

Continue reading

Information Security Education Resources

A story about “free” antivirus

A colleague of mine was working on a coworkers personal computer. The job was a fresh Windows 10 installation, and my colleague decided to install Avast Antivirus Free. Shortly after installing Avast Security Onion lit up like a Christmas tree. I didn’t recognize the IP address that the alerts were originating from, so I went into our equipment room where I found the PC plugged in. When I unplugged the ethernet cable, the alerts stopped…

Continue reading

Information Security Education Resources

Enough with the Hoodies: Education without the scare tactics

Growing up, I had DARE & abstinence-only education, which were comprehensive national education programs designed to educate children and keep them safe. They are an easy sell with a “wholesome” and straightforward answer to an otherwise complicated subject. “Just Say NO!” can be readily understood by young and old and easily marketed. Why not for InfoSec? Why not on a national scale? The ubiquity of electronics has grown exponentially. According to a 2017 article by…

Continue reading

Linux Tutorials

Security Onion Set Up Part 4: Tuning

Once data starts flowing through the sniffing interfaces you are going to be presented with a lot of false positives. It’s essential to reduce the number of false positives because the identification of real indicators can become next to impossible and your hardware will thank you. When I fired up Security Onion on Ubuntu 16.04 for the first time, it was generating around 26 alerts a second using Emerging Threats and Snort rulesets. Now that…

Continue reading