Security-Shell

WAVSEP 2014 Web Application Scanner Benchmark

2014-02-12T10:49:00.001+01:00

The *2014* WAVSEP web application scanner benchmark has been published

Currently includes new products that were tested for the first time (ScanToSecure, N-Stalker), as well as returning vendors that were not tested for a while (NTOSpider).

Covering a total *63* vulnerability scanners, including commercial scanners, multiple SAAS engines and open source vendors, the research compares the performance of the various tested scanners in the following aspects:

(*) Prices vs. Features

(*) Automated Crawling (WIVET)

(*) Technology and Input Delivery Method Support

(*) Backup/Hidden File Detection Accuracy (*NEW!*)

(*) Unvalidated Redirect Detection Accuracy (*NEW!*)

(*) SQL Injection Detection Accuracy

(*) Cross Site Scripting Detection Accuracy

(*) Path Traversal / LFI Detection Accuracy

(*) (XSS/Phishing via) Remote File Inclusion

(*) Supported Vulnerability Detection Features (e.g. audit features)

(*) Authentication and Usability Features

(*) Coverage and Scan Barrier Support (AntiCSRF Tokens, CAPTCHA, etc)

(*) Etc

The benchmark *one page* result summary can be viewed through the following link:

http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html

The full article, which includes analysis and conclusions, can be accessed through the following link:

http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html

To be up to date with all news just follow https://twitter.com/sectooladdict

Faraday - Penetration Test IDE

2013-12-17T08:00:00.000+01:00

Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Features:

* +40 Plugins (Metasploit, Amap, Arachini, Dnsenum, Medusa, Nmap, Nessus, w3af, Zap and More!)
* Collaborative support
* Information Highlighting
* Knowledge Filtering
* Information Dashboard
* Conflict Detection
* Support for multiple Workspaces
* IntelliSense Support
* Easy Plugin Development
* XMLRPC, XML and Regex Parsers

More info and Download: https://github.com/infobyte/faraday

Evil Foca - IPv4 and IPv6 Penetration testing tool

2013-12-02T19:45:00.000+01:00

Evil Foca is a tool for Pentesters and Security Auditors to perform security testing in IPv4/ IPv6 data networks.

The tool is capable to do different attacks such as:

MITM on IPv4 networks using ARP Spoofing and DHCP ACK injection.

MITM on IPv6 networks using Neighbor Advertisement Spoofing, SLAAC Attack, fake DHCPv6.

DoS (Denial of Service) on IPv4 networks using ARP Spoofing.

DoS (Denial of Service) on IPv6 networks using SLAAC Attack.

DNS Hijacking.

Download: http://www.informatica64.com

Retire.js - Command line Scanner and Chrome plugin

2013-11-02T14:43:00.000+01:00

Retire.js identify JavaScript libraries with known vulnerabilities in your application

Retire.js is a command line scanner that helps you identify dependencies with known vulnerabilites in your application. Using the provided Grunt plugin you can easily include Retire.js into your build process. Retire.js also provides a chrome extension allowing you to detect libraries while surfing your website.

To detect a given version of a given component, Retire.js uses filename or URL. If that fails, it will download/open the file and look for specific comments within the file. If that also fails, there is the possibility to use hashes for minified files. And if that fails as well, the Chrome plugin will run code in a sandbox to try to detect the component and version. This last detection mechanims is not available in the command line scanner, as running arbitrary JavaScript-files in the node-process could have unwanted consequences. If anybody knows of a good way to sandbox the code on node, feel free to register and issue or contribute.

It's important to note that even though your site is using a vulnerable library, that does not necessarily mean your site is vulnerable. It depends on whether and how your site exercises the vulnerable code. That said, it's better to be safe than sorry.

More Info and Download: https://github.com/bekk/retire.js

SpearPhisher – A Simple Phishing Email Generation Tool

2013-09-12T09:02:00.000+02:00

SpearPhisher is a simple point and click Windows GUI tool designed for (mostly) non-technical people who would like to supplement the education and awareness aspect of their information security program. Not only is it useful to non-technical folks, penetration testers may find it handy for sending quick and easy ad-hoc phishing emails. The tool supports specifying different sending names and email addresses, multiple recipients via TO, CC, BCC, and allows bulk loading with one recipient email address per line in a file. It allows customization of the subject, adding one attachment, and SSL support for SMTP enabled mail servers. One of the popular features with our client is the WYSIWYG HTML editor that allows virtually anyone to use the tool; previewing results as you point and click edit your malicious email body. If you want to add custom XSS exploits, client side attacks, or other payloads such as a Java Applet code generated by the Social Engineer Toolkit (SET), its split screen editor allows more advanced users to edit HTML directly.

Download and more info: https://www.trustedsec.com/september-2013/introducing-spearphisher-simple-phishing-email-generation-tool/

DefCamp 2013

2013-09-10T09:39:00.006+02:00

International hacking and information security conference in Romania

The DefCamp 2013 call for papers is officially open. The fourth edition of the international information security conference hosted in Romania will take place on November 29-30 2013, in Bucharest, at the Crystal Palace Ballroom.

Over 300 security experts, researchers, and enthusiasts from Romania and neighboring countries are expected to take part in the event. Between 29 - 30th of November the Crystal Palace Ballroom is hosting one of the most mesmerizing events of hacking & information security in Romania, Defcamp. Now in its fourth year, the event continues to impress its audience with knowledge sharing, competition with varying levels of difficulty, romanian and foreign speakers, surprises and fun.

"We have awaited the 48 hours of DefCamp 2013 since the closing moment of the last edition. It is hypnotizing to exchange ideas, to compete, to expand your knowledge and to meet people who you know only from the virtual world. DCTF (DefCamp Capture the Flag) - our main competition of the conference, Hack the Machine, App2Own, Spot the Cop, Wall of Sheep are just a few of the activities that will try to captivate your attention at Defcamp 2013. Sometimes I wish I could participate for me to fully enjoy these moments!", said Andrei Avădănei founder and coordinator of the Defcamp conference.

The conference that will take place this fall will engage participants in discussions about 0days, PRISM, mobile security problems, DDOS, networking, P2P networks, D&D APT’s, social engineering. camera surveillance, application security research, lock picking, secure system administration with key industry specialist from Romania and abroad holding presentations. Everyone can apply to be a speaker at the conference, DefCamp 2013 being the first edition where we officially launched a Call for Papers.

The DCTF ( DefCamp Capture the Flag ) will have an on line qualifying round followed by a death defying duel during the event between the teams that enter the finals. The competition challenges are extremely provocative and various - exploits, cryptography, programming, steganography, forensics, reverse engineering etc, these subjects being dealt with in 25 problems from the first round. Similar activities, like DCTF, but dedicated directly to the participants of the event are Hack the Machine and App2Own where everyone will have at their disposal different services and services to put their skills to the test and win awards.

DefCamp managed to, in just 3 editions, be the most awaited conference in the entire information security and hacking scene in Romania. Its the perfect time to join and feel the vibes. For more details you can access the conferences website or you can contact us directly at the address contact@defcamp.ro

CookieCatcher - Session Hijacking Tool

2013-08-27T08:25:00.000+02:00

CookieCatcher is an open source application which was created to assist in the exploitation of XSS (Cross Site Scripting) vulnerabilities within web applications to steal user session IDs (aka Session Hijacking). The use of this application is purely educational and should not be used without proper permission from the target application.

Features:
- Prebuilt payloads to steal cookie data
- Just copy and paste payload into a XSS vulnerability
- Will send email notification when new cookies are stolen
- Will attempt to refresh cookies every 3 minutes to avoid inactivity timeouts
- Provides full HTTP requests to hijack sessions through a proxy (BuRP, etc)
- Will attempt to load a preview when viewing the cookie data
- PAYLOADS
- Basic AJAX Attack
- HTTPONLY evasion for Apache CVE-20120053
- More to come

Video Demo: http://www.youtube.com/watch?v=2GH6RRozOpY

Download: https://github.com/DisK0nn3cT/CookieCatcher

GoLismero - The Web Knife Version 2.0 beta Released

2013-08-22T09:15:00.001+02:00

GoLismero is an open source framework for security testing. It's currently geared towards web security, but it can easily be expanded to other kinds of scans.

The most interesting features of the framework are:

Real platform independence. Tested on Windows, Linux, *BSD and OS X.
No native library dependencies. All of the framework has been written in pure Python.
Good performance when compared with other frameworks written in Python and other scripting languages.
Very easy to use.
Plugin development is extremely simple.
The framework also collects and unifies the results of well known tools: sqlmap, xsser, openvas, dnsrecon, theharvester...
Integration with standards: CWE, CVE and OWASP.

Get GoLismero from http://golismero-project.com

ZMap Internet Scanner v1.0.3 Released

2013-08-20T08:26:00.000+02:00

ZMap is a fast network scanner designed for Internet-wide network surveys. On a
typical desktop computer with a gigabit Ethernet connection, ZMap is capable
scanning the entire public IPv4 address space in under 45 minutes.

While previous network tools have been designed to scan small network segments,
ZMap is specifically architected to scan the entire address space. It is built
in a modular manner in order to allow incorporation with other network survey
tools. ZMap operates on GNU/Linux and supports TCP SYN and ICMP echo request
scanning out of the box.

Download and more info: https://zmap.io

WATOBO 0.9.13 Released

2013-08-09T23:18:00.002+02:00

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. WATOBO works like a local proxy, similar to Webscarab, Paros or BurpSuite. Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.

New Features:

* WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures.
* WATOB can act as a transparent proxy (requires nfqueue)
* WATOBO can perform vulnerability checks out of the box
* WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
* WATOBO supports Inline De-/Encoding.
* WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
* WATOBO is written in (FX)Ruby and enables you to easily define your own checks
* WATOBO runs on Windows, Linux, MacOS ... every OS supporting (FX)Ruby
* WATOBO is free software ( licensed under the GNU General Public License Version 2)

Download: http://sourceforge.net/projects/watobo/

Browser Timing Attacks

2013-08-08T13:02:00.001+02:00

Pixel Perfect Timing Attacks with HTML5

Abstract

This paper describes a number of timi ng attack techniques that can be used by a malicious web page to steal sensitive data from a browser, breaking cross - origin restrictions. The new requestAnimationFrame API can be used to time browser rendering operations and infer sensitive data based on t iming data . The first technique allows the browser history to be sniffed by detecting redraw events. The second part of the paper shows how SVG filters are vulnerable to a timing attack that can be used to read pixel values from a web page. This allows pix els from cross - origin iframes to be read using an OCR - style technique to obtain sensitive data from websites

Download PDF: http://contextis.co.uk

Zarp - Network Attack Framework

2013-07-03T17:55:00.000+02:00

Zarp is a network attack tool centered around the exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.

Functionality:

- Poisoners
- Parameter
- Services
- Sessions
- Scanners
- DoS Attacks
- Sniffers

Download: https://github.com/hatRiot/zarp
https://defense.ballastsecurity.net/wiki/index.php/Zarp

Released the new version of OWASP Top 10 - 2013

2013-06-13T07:54:00.000+02:00

This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards

Get PDF format from: http://owasptop10.googlecode.com - https://www.owasp.org/index.php/Top10

Me on PayPal Wall of Fame

2013-06-13T07:45:00.001+02:00

I don't want to disclose everything I reported but I would like to say that I'm very happy to have my name listed there,along many of my friends :)

https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame

http://www.computerworld.com
http://www.pcpro.co.uk

Nishang v.0.2.7 Released

2013-06-10T13:23:00.002+02:00

PowerShell for Penetration Testing

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.It contains many interesting scripts like download and execute, keylogger, dns txt pwnage, wait for command and much more.

Changelog:
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now.
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method.
- Fixed a minor bug in DNS_TXT_Pwnage.
- All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration.
- Added Get-PassHashes payload.
- Added Download-Execute-PS payload.
- The keylogger logs only fresh keys after exfiltring the keys 30 times.
- A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.

Download: http://code.google.com/p/nishang/downloads/list

PenQ - The Security Testing Browser Bundle

2013-05-30T08:19:00.002+02:00

PenQ is an open source Linux based penetration testing browser bundle we built over Mozilla Firefox. It comes pre-configured with security tools for spidering, advanced web searching, fingerprinting, anonymous browsing, web server scanning, fuzzing, report generating and more.

PenQ is configured to run on Debian based distributions including Ubuntu and its derivative distros, and penetration testing operating systems such as BackTrack and Kali.With all its integrations, PenQ is a powerful tool. Be mindful of what use you put it to. Responsible use of PenQ can help secure web apps in a zap.

Features

OWASP ZAP
OWASP WebScarab
OWASP WebSlayer
Nikto Web Server Scanner

Wfuzz Web Application Fuzzer
Mozilla Add-ons Collection
Integrated Tor
OWASP Penetration Testing Checklist

PenTesting Report Generator
Vulnerability Databases Search
Access to Shell and System Utilities
Collection of Useful Links

Download and more info: http://www.qburst.com/products/PenQ

OWASP Europe Tour - Bucharest 2013

2013-05-23T08:56:00.000+02:00

OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.

Date: Wednesday 5th of June
Venue Location: University "Politehnica" of Bucharest
Venue Address: Splaiul Independentei nr. 313, sector 6, Bucuresti, ROMANIA; Rectorship Building, Senate Hall Postal cod: RO-060042

Source: https://www.owasp.org

DroidSQLi - MySQL Injection tool for Android

2013-05-20T16:56:00.000+02:00

DroidSQLi is the first automated MySQL Injection tool for Android. It allows you to test your MySQL-based web application against SQL injection attacks.

DroidSQLi supports the following injection techniques:
- Time based injection
- Blind injection
- Error based injection
- Normal injection

Get it from https://play.google.com/store/apps/details?id=net.edgard.droidsqli

Static Analysis Technologies Evaluation Criteria Released

2013-05-12T20:08:00.003+02:00

Introduction:

Static code analysis is the analysis of software source or binary code. It aims at automating code analysis to find as many common software security weaknesses as possible. There are several open source and commercial static code analysis tools and services available in the market for organizations to choose from.

Static code analysis is rapidly becoming an essential part of most software organizations' application security assurance program. Mainly because of their ability to analyze large amounts of source code in considerably shorter amount of time than a human could, uncover potential weaknesses, in addition to the ability to automate security knowledge and workflows.

Download PDF: http://projects.webappsec.org/w/file/fetch/66107997/SATEC_Manual-02.pdf

Source: http://projects.webappsec.org

AttackVector Linux

2013-05-12T10:41:00.003+02:00

Linux distro for anonymized penetration based on Kali and TAILS

AttackVector Linux is a new distribution for anonymized penetration and security. It is based on Kali and TAILS, which are both based on Debian. While Kali requires a modified kernel for network drivers to use injection and so forth, the Tor Project's TAILS is designed from the bottom up for encryption, and anonymity. Nmap can't UDP via Tor. The intention of AttackVector Linux is to provide the capability to anonymize attacks while warning the user when he or she takes actions that may compromize anonymity. The two projects have different design philosophies that can directly conflict with one another. In spite of this, the goal of AttackVector Linux is to integrate them complementarily into one OS.

Download: https://bitbucket.org/attackvector

More Info: https://github.com/ksoona/attackvector

SpiderFoot v.2.0 Released

2013-05-07T17:35:00.001+02:00

Open source Footprinting tool

SpiderFoot is an open source footprinting tool, available for Windows and Linux. It is written in Python and provides an easy-to-use GUI. SpiderFoot obtains a wide range of information about a target, such as web servers, netblocks, e-mail addresses and more.

SpiderFoot is designed from the ground-up to be modular. This means you can easily add your own modules that consume data from other modules to perform whatever task you desire.
As a simple example, you could create a module that automatically attempts to brute-force usernames and passwords any time a password-handling webpage is identified by the spidering module.

Download: https://github.com/smicallef/spiderfoot
http://sourceforge.net/projects/spiderfoot/

More Info: http://www.spiderfoot.net

Arachni v0.4.2 Released

2013-04-30T09:52:00.005+02:00

Web Application Security Scanner Framework

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives. It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.

The change-log is quite sizeable but the gist is:

* Brand new web interface -- allowing for team collaboration.
* Significant decreases in memory usage.
* Issue remarks – Providing extra context to logged issues.
* Improved payloads for Windows machines for path traversal and OS command injection.
* RPC API updates allowing for much easier remote scan management.
* Much improved profiling and detection of custom 404 responses.
* The ability to exclude pages from the scan based on content.

For more details and Download visit: http://www.arachni-scanner.com

Canari Framework

2013-04-15T16:00:00.000+02:00

Canari - Maltego Rapid Transform Development Framework

Canari is a rapid transform development framework for Maltego written in Python. The original focus of Canari was to provide a set of transforms that would aid in the execution of penetration tests, and vulnerability assessments. Ever since it's first prototype, it has become evident that the framework can be used for much more than that. Canari is perfect for anyone wishing to graphically represent their data in Maltego without the hassle of learning a whole bunch of unnecessary stuff. It has generated interest from digital forensics analysts to pen-testers, and even psychologists.

Canari's core features include:
- An easily extensible and configurable framework that promotes maximum reusability;
- A set of powerful and easy-to-use scripts for debugging, configuring, and installing transforms;
-Finally, a great number of community provided transforms.

More info and Download: http://www.canariproject.com

Video demo: http://www.youtube.com/allfro

AppUse - Android Pentest Platform Unified Standalone Environment

2013-04-03T13:42:00.000+02:00

AppSec Labs recently developed the AppUse Virtual Machine. This system is a unique, free, platform for mobile application security testing in the android environment, and it includes unique custom-made tools created by AppSec Labs.

There is no need for installation of simulators and testing tools, no need for SSL certificates of the proxy software, everything comes straight out of the box pre-installed and configured for an ideal user experience.Security experts who have seen the machine were very excited, calling it the next ‘BackTrack’ (a famous system for testing security problems), specifically adjusted for android application security testing.

AppUse VM closes gaps in the world of security, now there is a special and customized testing environment for android applications.

This machine is intended for the daily use of security testers everywhere for Android applications, and is a must-have tool for any security person.

Download: http://sourceforge.net

XSSF - Cross-Site Scripting Framework v.3.0 Released

2013-03-19T16:43:00.002+01:00

The Cross-Site Scripting Framework (XSSF) is a security tool designed to turn the XSS vulnerability exploitation task into a much easier work. The XSSF project aims to demonstrate the real dangers of XSS vulnerabilities, vulgarizing their exploitation. This project is created solely for education, penetration testing and lawful research purposes.

XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.

XSSF provides a powerfull documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easilly from an XSS vulnerability.

XSSF Basics: Install on Kali-1.0 Video Demo : http://www.youtube.com/watch?v=AhUhOirEfTE

Download: https://code.google.com