Pentesting thick client applications is not a new concept instead the techniques adopted are new and interesting. I’m a bit lazy on explaining what thick client apps are, please refer here for more info. GTalk, Pidgin, Skype, MSN are few examples of thick client applications.

Cross Site Request Forgery is one of the most happening attacks over the internet today. The attackers find it easy to exploit as it does not require any authentication information, session cookies but only require the user to be authenticated to the application. And this works on every platform.

Now a days, I get very curious to look at view-source of website where Facebook’s Like button is embedded. But why should I do this? Isn’t facebook Like button trusted? This is right.. Huh!!! The answer is NO. If there is a mismatch in the domain (you are visiting) and facebook’s Like button then there is surely a problem and it is a spam page.

Recently, I was trying to use my previously automated Nessus Automation scripts and detected they aren’t working on latest Nessus 5.2 XMLRPC.Last time, I automated network scanning tasks using XMLRPC in Perl but strange it did not work anymore with Nessus 5.2.

It is always been a pain to run Nessus when you have long list of IPs to be scanned within a short period of time. This typically happens when you are engaged in an internal pentest and you have multiple IPs to scan.

One word answer “NO”. This is based on my experience w.r.t cleaning Wordpress (WP) sites against malware attack. Hackers mostly attack CMS based websites i.e.