I’m always looking for cool tools that help me advance my knowledge and I recently stumbled across the DVNA platform. This platform will allow you to demonstrate OWASP top 10 vulnerabilities in a lab setting. This is good for educational purposes and for practicing your pentesting craft.
Check it out at: https://github.com/appsecco/dvna
This is an interesting CMS exploitation framework released on GitHub (one of many!). If you think that you’re safe without adequate layer 7 defenses then you’re incredibly misinformed…
Check it out at: https://github.com/CHYbeta/cmsPoc
It’s critical to enable X-Forwarded-For Logging when behind a proxy or load balancer in order grab the true IP address of visitors.
To enable this in your IIS site follow the steps below:
Step 1. Select your website in the IIS management console. In this example, I have a test site called www.larmeir.com. Ensure that the logging format is W3C then click –> Select Fields.
Step 2. From the Select Fields menu click –> Add Field.
Step 3. From the Add Custom Field form add the following entries for X-Forwarded-For as shown in the screenshot.
Step 4. Click –>OK
Step 5. On the actions menu in the upper right hand corner of the IIS manager click –>Apply
Conclusion: If everything went well you will now have a second IIS log in your logging directory with will have a postfix of _x (this indicates a custom log).
This log will now contain the true IPs of visitors that are connecting to your website.