30+ Websites For Royalty Free Images And Stock Photos

Images are very important for web designers. If you are a blogger or web designer, you need images for your next blog post or next web design. Images make the design attractive. If you are writing a blog post, images increase the readership. But getting right images is not easy. You cannot use any image […]
The post 30+ Websites For Royalty Free Images And Stock Photos appeared first on UseThisTip.

Link: http://feedproxy.google.com/~r/blogspot/csAFg/~3/S8C-hwsaX_s/20-websites-for-royalty-free-images-and.html

10Minutemail – Python Temporary Email

10minutemail.net is a free, disposable e-mail service. Your temporary e-mail address will expire after 10 minutes, after which you cannot access it. You can extend the time by 10 minutes. The website you are registering with could be selling your personal information; you never know where your e-mail will be published. An email address with a 10-minute lifespan is the best solution to prevent this.Installationwget https://raw.githubusercontent.com/m4ll0k/10minutemail/master/10minutemail.py && python 10minutemail.pyUsagepython 10minutemail.pypython 10minutemail.py –save emails.txtDownload 10Minutemail

Link: http://feedproxy.google.com/~r/PentestTools/~3/6P5wkV_3yTU/10minutemail-python-temporary-email.html

H2T – Scans A Website And Suggests Security Headers To Apply

h2t is a simple tool to help sysadmins to hardening their websites.Until now h2t checks the website headers and recommends how to make it better.DependencesPython 3coloramarequestsInstall$ git clone https://github.com/gildasio/h2t$ cd h2t$ pip install -r requirements.txt$ ./h2t.py -hUsageh2t has subcommands: list and scan.$ ./h2t.py -husage: h2t.py [-h] {list,l,scan,s} …h2t – HTTP Hardening Toolpositional arguments: {list,l,scan,s} sub-command help list (l) show a list of available headers in h2t catalog (that can be used in scan subcommand -H option) scan (s) scan url to hardening headersoptional arguments: -h, –help show this help message and exitList SubcommandThe list subcommand lists all headers cataloged in h2t and can show informations about it as a description, links for more information and for how to’s.$ ./h2t.py list -husage: h2t.py list [-h] [-p PRINT [PRINT …]] [-B] [-a | -H HEADERS [HEADERS …]]optional arguments: -h, –help show this help message and exit -p PRINT [PRINT …], –print PRINT [PRINT …] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -B, –no-banner don’t print the h2t banner -a, –all list all available headers [default] -H HEADERS [HEADERS …], –headers HEADERS [HEADERS …] a list of headers to look for in the h2t catalogScan SubcommandThe scan subcommand perform a scan in a website looking for their headers.$ ./h2t.py scan -husage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS …]] [-p PRINT [PRINT …]] [-i IGNORE_HEADERS [IGNORE_HEADERS …]] [-B] [-E] [-n] [-u USER_AGENT] [-r | -s] urlpositional arguments: url url to look foroptional arguments: -h, –help show this help message and exit -v, –verbose increase output verbosity: -v print response headers, -vv print response and request headers -a, –all scan all cataloged headers [default] -g, –good scan good headers only -b, –bad scan bad headers only -H HEADERS [HEADERS …], –headers HEADERS [HEADERS …] scan only these headers (see available in list sub- command) -p PRINT [PRINT …], –print PRINT [PRINT …] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -i IGNORE_HEADERS [IGNORE_HEADERS …], –ignore-headers IGNORE_HEADERS [IGNORE_HEADERS …] a list of headers to ignore in the results -B, –no-banner don’t print the h2t banner -E, –no-explanation don’t print the h2t output explanation -o {normal,csv,json}, –output {normal,csv,json} choose which output format to use (available: normal, csv, json) -n, –no-redirect don’t follow http redirects -u USER_AGENT, –user-agent USER_AGENT set user agent to scan request -k, –insecure don’t verify SSL certificate as valid -r, –recommendation output only recommendations [default] -s, –status output actual status (eg: existent headers only)OutputFor now the output is only in normal mode. Understant it as follows:[+] Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it.[+] Yellow Headers are good headers that is not applied on your website. We recommend apply them.[-] Green Headers are good headers that is already used in your website. It’s shown when use -s flag.Example:Cookie HTTP Only would be good to be appliedCookie over SSL/TLS would be good to be appliedServer header would be good to be removedReferrer-Policy would be good to be appliedX-Frame-Options is already in use, nothing to do hereX-XSS-Protection is already in use, nothing to do hereScreenshotsList h2t catalogScan from fileScan urlScan verboseHeaders informationDownload H2T

Link: http://feedproxy.google.com/~r/PentestTools/~3/LaZLa7zlv9k/h2t-scans-website-and-suggests-security.html

Latest Drupal RCE Flaw Used by Cryptocurrency Miners and Other Attackers

Another remote code execution vulnerability has been revealed in Drupal, the popular open-source Web content management system. One exploit — still working at time of this writing — has been used in dozens of unsuccessful attacks against our customers, with an unknown number of attacks, some likely successful, against other websites. Published on February 20th, […]
The post Latest Drupal RCE Flaw Used by Cryptocurrency Miners and Other Attackers appeared first on Blog.

Link: http://feedproxy.google.com/~r/Imperviews/~3/ehBGF65ofeY/

Modlishka – An Open Source Phishing Tool With 2FA Authentication

Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).Enjoy :-)FeaturesSome of the most important ‘Modlishka’ features :Support for majority of 2FA authentication schemes (by design).No website templates (just point Modlishka to the target domain – in most cases, it will be handled automatically).Full control of “cross" origin TLS traffic flow from your victims browsers.Flexible and easily configurable phishing scenarios through configuration options.Pattern based JavaScript payload injection.Striping website from all encryption and security headers (back to 90’s MITM style).User credential harvesting (with context based on URL parameter passed identifiers).Can be extended with your ideas through plugins.Stateless design. Can be scaled up easily for an arbitrary number of users – ex. through a DNS load balancer.Web panel with a summary of collected credentials and user session impersonation (beta).Written in Go.Action"A picture is worth a thousand words":Modlishka in action against an example 2FA (SMS) enabled authentication scheme:Note: google.com was chosen here just as a POC.InstallationLatest source code version can be fetched from here (zip) or here (tar).Fetch the code with ‘go get’ :$ go get -u github.com/drk1wi/ModlishkaCompile the binary and you are ready to go:$ cd $GOPATH/src/github.com/drk1wi/Modlishka/$ make# ./dist/proxy -hUsage of ./dist/proxy: -cert string base64 encoded TLS certificate -certKey string base64 encoded TLS certificate key -certPool string base64 encoded Certification Authority certificate -config string JSON configuration file. Convenient instead of using command line switches. -credParams string Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex) -debug Print debug information -disableSecurity Disable security features like anti-SSRF. Disable at your own risk. -jsRules string Comma separated list of URL patterns and JS base64 encoded payloads that will be injected. -listeningAddress string Listening address (default "127.0.0.1") -listeningPort string Listening port (default "443") -log string Local file to which fetched requests will be written (appended) -phishing string Phishing domain to create – Ex.: target.co -plugins string Comma seperated list of enabled plugin names (default "all") -postOnly Log only HTTP POST requests -rules string Comma separated list of ‘string’ patterns and their replacements. -target string Main target to proxy – Ex.: https://target.com -targetRes string Comma separated list of target subdomains that need to pass through the proxy -terminateTriggers string Comma separated list of URLs from target’s origin which will trigger session termination -terminateUrl string URL to redirect the client after session termination triggers -tls Enable TLS (default false) -trackingCookie string Name of the HTTP cookie used to track the victim (default "id") -trackingParam string Name of the HTTP parameter used to track the victim (default "id")UsageCheck out the wiki page for a more detailed overview of the tool usage.FAQ (Frequently Asked Questions)Blog postCreditsThanks for helping with the code go to Giuseppe Trotta (@Giutro)Download Modlishka

Link: http://feedproxy.google.com/~r/PentestTools/~3/Z2CV9SS3UmA/modlishka-open-source-phishing-tool.html

Htcap – A Web Application Scanner Able To Crawl Single Page Application (SPA) In A Recursive Manner By Intercepting Ajax Calls And DOM Changes

Htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes. Htcap is not just another vulnerability scanner since it’s focused on the crawling process and it’s aimed to detect and intercept ajax/fetch calls, websockets, jsonp ecc. It uses its own fuzzers plus a set of external tools to discover vulnerabilities and it’s designed to be a tool for both manual and automated penetration test of modern web applications.It also features a small but powerful framework to quickly develop custom fuzzers with less than 60 lines of python. The fuzzers can work with GET/POST data, XML and JSON payloads and switch between POST and GET. Of course, fuzzers run in parallel in a multi-threaded environment.This is the very first release that uses headless chrome instead of phantomjs. Htcap’s Javascript crawling engine has been rewritten to take advantage of the new async/await features of ecmascript and has been converted to a nodjes module build on top of Puppetteer.More infos at htcap.org.SETUPRequirementsPython 2.7Nodejs and npmSqlmap (for sqlmap scanner module)Arachni (for arachni scanner module)Download and Run$ git clone https://github.com/fcavallarin/htcap.git htcap$ htcap/htcap.pyVIDEODOCUMENTATIONDocumentation, examples and demos can be found at the official website https://htcap.org.Download Htcap

Link: http://feedproxy.google.com/~r/PentestTools/~3/aJgXuqnKFus/htcap-web-application-scanner-able-to.html

10+ Online Tools to Resize or Crop Images

Sometimes we need to resize a photo for uploading in a form or other, but we do not have Photoshop in the system. In this case, we need a tool that can help us in resizing or cropping photo according to need. Few people prefer Paint for this work. It is true that paint can […]
The post 10+ Online Tools to Resize or Crop Images appeared first on UseThisTip.

Link: http://feedproxy.google.com/~r/blogspot/csAFg/~3/bOG12BSzaHk/resize-or-crop-your-images-online.html