Fiddler as proxy – and how to clone WordPres locally for testing

I got my local setup working under 127.0.0.1:91/blog. In order to overwrite my server default domain I added locally this to my wp-config.php file:

define('WP_HOME','http://127.0.0.1:91/blog'); define('WP_SITEURL','http://127.0.0.1:91/blog'); define('FORCE_SSL_LOGIN',false); define('FORCE_SSL_ADMIN',false); 

In my Fiddler Web Debugger script I am using this to redirect my browser request to my domain name, to instead go to my local setup:

if (oSession.HostnameIs("my.domain.name")){     oSession.bypassGateway = true;     if (oSession.HTTPMethodIs("CONNECT")){         oSession["x-replywithtunnel"] = "FakeTunnel";         return;     }       oSession["x-overrideHost"] = "127.0.0.1:91";     oSession.fullUrl = "http://127.0.0.1:91" + oSession.PathAndQuery; } 

How can I get WordPress returned page to be rewritten before it gets sent do the browser from 127.0.0.1:91 to my.domain.name; and from http:// to https://? Or is there a smarter way to go about all of this within WordPress?

I tried this in my Fiddler Script but it is not working:

if oSession.oResponse.headers.ExistsAndContains("Content-Type","text/html")){     oSession.utilDecodeResponse();     oSession.utilReplaceInResponse('http://','https://');     oSession.utilReplaceInResponse('127.0.0.1:91','my.domain.name'); } 

I suppose I could setup an Apache proxy rewrite for the pages that get returned, but I am not sure how to go about this.

User Testing Service. Launched June. Made $1000+ profit in July. 100% Outsourced.

Welcome to the auction for UsabilityTrial.com

Intro

Research shows that over 500 000 websites and 1500 mobile apps are launched every day!

With that in mind, we decided to create this service which gives owners of these new websites and apps access to real users who can test out their platforms before launch and provide feedback.

We launched the business in July and it has since generated 9 sales in July. (proof of income attached)…

User Testing Service. Launched June. Made $ 1000+ profit in July. 100% Outsourced.

Penetration testing: stuck with injecting upload form

I have to do an assignment for a penetration testing exam but i’m a little bit stuck.

Among all the vulnerabilities i have to inject an upload form but it behaves weird, if i upload a file (even an image or similar) it does not do anything so i can’t tell if the file has been uploaded or not, there is no error message , anything useful.

I have a LFI vulnearbility so i can check files in /var/www/html and get the source but i can’t find anything useful, basically i have only .php frontend files :\

What vulnerability can i expect? or are there any tests that i can do?

This is the post request of burp-suite when i upload: https://imgur.com/a/Z7zeFoQ

Thank you 🙂

Responsive websites testing

Hi everyone ,

I'm a web developer, and I've often found myself wasting too much time checking if a responsive website displays properly on all screen sizes.

I feel we have lots of powerful and advanced applications to design and code websites, but there are very few tools to test and debug the behavior of responsive web pages.

I guess many of you have found themselves in my shoes before.

To overcome this problem and make our work easier, I've created slashB, an application that provides…

Responsive websites testing

OWASP Client-Side Testing – How To

In the OWASP Testing Guide, it has a whole section called “Client-Side Testing.” This section has to do with testing for things such as DOM-based XSS, JavaScript execution, HTML injection, Client-Side URL Redirect, etc. The examples in the testing guide for the first four vulnerabilities (the ones I just listed) all include code that access document.location.

My question is, what other ways are there for these kinds of vulnerabilities to be introduced into a web page without accessing document.location? In other words, if a page does not ever access document.location, is it definitely free from these vulnerabilities?

configuring output of testssl for testing ciphers

I’m writing a script in python to automate cipher check using testssl.sh tool. the output JSON presents

 {               "id"           : "service",               "ip"           : "ad4screen.com/130.211.7.4",               "port"         : "443",               "severity"     : "INFO",               "finding"      : "HTTP"           } ,         {               "id"           : "pre_128cipher",               "ip"           : "ad4screen.com/130.211.7.4",               "port"         : "443",               "severity"     : "INFO",               "finding"      : "No 128 cipher limit bug"           } ,         {               "id"           : "cipher-tls1_xc014",               "ip"           : "ad4screen.com/130.211.7.4",               "port"         : "443",               "severity"     : "INFO",               "finding"      : "TLS 1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"           } ,         {               "id"           : "cipher-tls1_x35",               "ip"           : "ad4screen.com/130.211.7.4",               "port"         : "443",               "severity"     : "INFO",               "finding"      : "TLS 1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA"           } 

the output json doesn’t really tell the severity, I also used Nmap with cipher NSE script but it doesn’t support JSON output. but it does rank cipher from A (Strong) to F (Weak) . is there a way in testSSL.sh to report in JSON cipher with their rank (weak,strong, etc) ?

the command

testssl.sh -E --severity LOW --jsonfile results ad4screen.com 

it does return empty json i guess because the websites has no cipher with severity equal to low or higher, or I’m wrong ?