pentest | Pentesting tools tips including scripts | Awesome List library

How are you?

I have a question regarding the header referrer. In a pentest analysis to my app in nextjs I was told that it is allowing to pass a different header referrer to the allowed ones. For which I must implement a white list that does not allow access to resources if the referrer header is different.

I leave an image of the observation

Referrer header edited

Do you know how I could implement this validation from NextJs?

when I run anyu python using scapy fully updated it does this:

I want to pen test rest apis, the use case I have is a client(desktop app with username and password) connecting to a server. So I am confused from where to start and how to configure burp. Usually I use burp to pen test websites, which is quite easier to configure, you only set the proxy and intercept in the browser, but now the use case is different. Furthermore, I did some search on google I noticed postman is mentioned many times, I know it's a tool for building apis, but is it also used in the pentesting with the burp?

Context: Running an exploit vs a vulnerable VM as a part of my OSCP studies. I know this VM is vulnerable to this exploit because I ran the exploit inside MSF(pentesting framework) and it worked, but doing it manually I am having dependency issues.

Setup: I am on kali, latest quarterly release

Exploit: https://github.com/andyacer/ms08_067

Pip versions output

Trying to install dependencies

Keep in mind on kali "python" points to python2.7.18, and python3 points to python3.xwhatever because of backwards compatibility (funny huh) because tons of exploits are written in python2

the script uses #!/usr/bin/env python thus points to python2.7.18

I have already tried various solutions from various SO threads as well as articles on google.

I'm trying to pentest and Hook my android application method using frida. But when i do execute the command from command prompt in windows then my application get crashed and intended method is not executed from the apk.

I want to start my second activity by hook returning true from the frida script. Please help me to correct my code or with valid solution correction.

My app code:

I'm pentester-student and I very much like to complement tasks with Python version of it.

I've got a vulnerable box with IP 192.168.41.2 and port scanning with nmap resulted in:

I am trying to scrape the list of name from a web and need to list it in the form of Pandas.

I create a Pentest tool for educational purposes, so the old version was written using python 2, then I convert it to python 3 and when I try to run the main file pxxtf.py I got multiple errors, I correct most of them but for this one about Circular Import, I try multiple fixes from forums and StackOverFlow and nothing work with me.

When I try to run the main script :

I don't have much experience of penetration testing, but I am currently looking at OWASP Zap.

The website I am going to pentest runs on an Amazon EC2 instance. Amazon seems to have certain requirements when it comes to security testing: https://aws.amazon.com/security/penetration-testing/

The above website says that you can run security tests on a Amazon EC2 instance but not certain ones such as DNS zone walking, DoS, etc. which is fair enough.

The problem is that I can't see exactly what OWASP Zap will do when I click the "Attack" button and I obviously don't want to upset AWS!

Has anyone else used OWASP Zap on an EC2 instance? Did it you have to configure it to not do DoS attacks, etc? Is there any way I can find out what Zap is doing (I couldn't see anything in the documentation but may have missed something)?