Wappalyzer – Web Technology Identifier (Identify CMS, JavaScript etc.)

Wappalyzer is an add-on for Firefox that uncovers the technologies used on websites. It detects CMS and e-commerce systems, message boards, JavaScript frameworks, hosting panels, analytics tools and several more.
The company behind Wappalyzer also collects information about web based software to create publicly available statistics, revealing their growth over time and popularity compared to others. Most of this data is anonymously collected from this Firefox add-on which has been installed by thousands of users.
Wappalyzer was founded in 2008 by Elbert F and has been made possible with the funding of AOE media GmbH, the leading Open Source web development company in Germany.
It detects the majority of common CMS systems, a full list can be found here.
You can download Wappalyzer here:
Wappalyzer.xpi

Read More

BodgeIt Store – Vulnerable Web Application For Penetration Testing

There are various vulnerable web applications such as Jarlsberg, WackoPicko, Damn Vulnerable Web Application (DVWA), Vicnum, etc. Now we have another application that is vulnerable and ready to be exploited! The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to penetration testing.

Features

Easy to install – just requires java and a servlet engine, e.g. Tomcat
Self contained (no additional dependencies other than to 2 in the above line)
Easy to change on the fly – all the functionality is implemented in JSPs, so no IDE required
Cross platform
Open source
No separate db to install and configure – it uses an ‘in memory’ db that is automatically (re)initialized on start up

There is also a ‘scoring’ page where you can see various hacking challenges and whether you have completed them or not.

nstall All you need to do is download and open the zip file, and then extract the war file into the webapps directory of your favorite servlet engine.
Then point your browser at (for example) http://localhost:8080/bodgeit
The author recommends Zed Attack Proxy to get you started.
You can download BodgeIt Store here:
bodgeit.1.1.0.zip

Read More

OWASP Hatkit Proxy Project – HTTP/TCP Intercepting Proxy Tool

The primary purpose of the Hatkit Proxy is to create a minimal, lightweight proxy which stores traffic into an offline storage where further analysis can be performed, i.e. all kinds of analysis which is currently implemented by the proxies themselves (WebScarab/Burp/Paros etc).

Also, since the http traffic is stored in a MongoDB, the traffic is stored at an object-level, retaining the structure of the parsed traffic.

Features

Swing-based UI,
Interception capabilities with manual edit, both for TCP and HTTP traffic,
Syntax highlightning (html/form-data/http) based on JFlex,
Storage of http traffic into MongoDB database,
Possibilities to intercept in Fully Qualified mode (like all other http-proxies) OR Non-fully qualified mode. The latter means that interception is performed *after* the host has been parsed, thereby enabling the user to submit non-valid http content.
A set of filters to either ignore or process traffic which is routed to the proxy. The ‘ignored’ traffic will be streamed to the endpoint with minimal impact on performance.

Known Issues

HTTP-intercept: Some button/checkboxes in the interception window does not work
TCP-intercept: The statistics counters are incorrect.

You can download OWASP Hatkit Proxy here:
hatkit_proxy-0.5.1.zip

Read More

Burp Suite Free Edition v1.4 – Web Application Security Testing Tool

We love Burp Suite and we have since wayyyy back, the last update we posted was around 18 months ago back in January 2010 – Burp Suite v1.3 Released – Integrated Platform For Attacking Web Applications.

For the two people here who don’t know what this tool does, Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

And now, we’re happy to announce there’s a new version out and it’s available for download now!

New Features

The ability to compare site maps
Functions to help with testing access controls using your browser
Support for preset request macros
Session handling rules to help you work with difficult situations
In-browser rendering of responses from all Burp tools
Auto recognition and rendering of character sets
Support for upstream SOCKS proxies
Headless mode for unattended scripted usage
Support for more types of redirection
Support for NTLMv2 and IPv6
Numerous enhancements to Burp’s extensibility
Greater stability on OSX

You can download Burp Suite Free Edition v1.4 here:

burpsuite_v1.4.zip

Read More

WATOBO – The Web Application Toolbox

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. We are convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities. WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only.

How Does It Work?

WATOBO works like a local proxy, similar to Webscarab, Paros or BurpSuite.

Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.

Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.

WATOBO Advantages

• Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
• Can perform vulnerability checks out of the box.
• Supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
• Smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
• Written in (FX)Ruby and enables you to define your own checks
• Free software ( licensed under the GNU General Public License Version 2)

There is an ‘unofficial’ manual here:
WATOBO – the unofficial manual
And some video tutorials to get you started here.

Read More

XSSer v1.0 – Cross Site Scripter Framework

XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.

It contains several options to try to bypass certain filters, and various special techniques of code injection.

New Features

Added “final remote injections” option
Cross Flash Attack!
Cross Frame Scripting
Data Control Protocol Injections
Base64 (rfc2397) PoC
OnMouseMove PoC
Browser launcher
New options menu
Pre-check system
Crawler spidering clones
More advanced statistics system
“Mana” ouput results

You can download XSSer v1.0 here:
xsser-1.0.tar.gz

Read More

LFIMAP – Scan For Files Vulnerable To LFI (Local File Inclusion)

There are some existing tools that deal with LFI vulnerabilities such as fimap the Remote & Local File Inclusion (RFI/LFI) Scanner and inspathx a Tool For Finding Path Disclosure Vulnerabilities (which can lead to the discovery of LFI).

A new simple tool was released recently which focuses purely on LFI attacks.

Functions

Automatically find the root of the file system
Detect default files outside of the web folder
Attempts to detect passwords inside the files
Supports basic authentication
Can use null byte to bypass some controls
Writes a report of the scan to a file

You can download LFIMAP 1.4.3 here:
lfimap-1.4.3.tar.gz

Read More

SQLInject-Finder – Intelligent SQL Injection Detection Script

SQLInject-Finder is a simple python script that parses through a pcap and looks at the GET and POST request data for suspicious and possible SQL injects. Rules to check for SQL injection can be easily added. Output can be printed neatly on the command line or in tab delimited format.
The output includes:

• The suspicious IP address
• The attacked webpage
• The parameter and value used
• The frame number of the packet within the pcap (can be used to find exactly where the packet is in Wireshark)
• The reason why the request was flagged

Requirements
This script was tested using Python 2.6.5. Other versions are not guaranteed to work.
This script depends on the dpkt libraries.
You can download SQLInject-Finder here:
sqlinject-finder.py

Read More

Mantra Security Toolkit – Free & Open Source Browser-Based Security Framework

24 January 2011 | 11,912 views
Mantra Security Toolkit – Free & Open Source Browser-Based Security Framework
Want to Learn Penetration Testing

Mantra is a dream that came true. It is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

The Mantra is a powerful set of tools to make the attacker’s task easier. The beta version of Mantra Security Toolkit contains following tools built onto it –
Mantra Tools List
You can also always suggest any tools/ scripts that you would like see in the next release.
Supports forums are available here.
You can download Mantra here:
Windows – MantraPortable Alpha Release 200.12.exe
Linux – mantra-portable-pre-alpha.tar.bz2

Read More

sessionthief – HTTP Session Cloning & Cookie Stealing Tool

sessionthief performs HTTP session cloning by cookie stealing. It can issue basic nmap and nbtscan commands to see which IPs are on the subnet, or just listen for IPs broadcasting packets. It can quickly perform ARP poison routing to get packets given the IP of the client if not on an open network or hub, and should also work with interfaces in monitor mode. It integrates automatically with Firefox, dynamically creating a temporary profile for each attack performed. In this way, in contrast to tools like the middler, it doesn’t require any additional configuration, and makes it easy to simultaneously own multiple logins to the same site.

For example, if multiple clients on the open or WEP-encrypted wireless network you are on are on Facebook (or yahoo mail or just about any site you log into), you can:

Start the program
Select your interface
Hit watch
Select a request from each of them to facebook, and click the session button.

The program will start a new instance of firefox for each session hacked, and let you control the login of all of them at once. It compiles and runs on linux and windows depending on the pcap and wxwidgets libraries.

You can download sessionthief here:

sessionthief.zip

Read More

Havij – Advanced Automated SQL Injection Tool

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.

The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injection vulnerable targets using Havij.

The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

There is a free version available and also a more fully-featured commercial edition available here.

You can download Havij v1.12 Free Edition here:
Havij1.12Free.rar

Read More

inspathx – Tool For Finding Path Disclosure Vulnerabilities

inspathx is a tool that uses local source tree to make requests to the URL and searches for path inclusion (Full Path Disclosure) error messages. It’s a very common problem in PHP web applications that crops up a lot.
PHP Web application developers sometimes fail to add safety checks against authentications, file inclusion etc and are prone to reveal possible sensitive information when those applications URLs are directly requested. Sometimes, it’s a clue to Local File Inclusion (LFI) vulnerability. For open-source applications, source code can be downloaded and checked to find such information.
This script will do this job.

1. First you have to download source archived file of your desired OSS.
2. Second, extract it.
3. Third, feed its path to inspath

inspathx accepts the following arguments:

• -d or –dir argument as source directory (of application)
• -u or –url arguement as the target base URL (like http://victim.com)
• -t or –threads argument as the number of threads concurrently to run (default is 10)

You can download inspathx via SVN here:

svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only

Read More

OWASP ZAP – Zed Attack Proxy – Web Application Penetration Testing

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Features

Intercepting proxy
Automated scanner
Passive scanner
Spider

Next Release

The next release of OWASP ZAP, planned for later this year, is expected to include:

OWASP rebranding
Improvements to the passive and active automated scanners
Improvements the Spider
The addition a basic port scanner
The ability to brute force files and directories (using components from DirBuster)

ZAP is actually a fork from Paros Proxy.

You can download ZAP v1.0 here:

Cross Platform – ZAP_1.0.0b_installation.tar.gz
Windows Installer – ZAP_1.0.0_installer.exe

Read More

NSDECODER – Automated Website Malware Detection Tool

NSDECODER is a automated website malware detection tool. It can be used to decode and analyze an URL to see if it host to malware. Also, NSDECODER will analyze which vulnerability has been exploited and the original source address of malware.
Functions

• Automated analysis and detection of website malware.
• Detection for plenty of vulnerabilities.
• Log export supports HTML and TXT format.
• Ability to deeply analyze JavaScript.

You can download NSDECODER here:
nsdecoder_gui_v1.0.zip

Read More

w3af 1.0-rc3 Available For Download – Web Application Attack & Audit Framework

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
New Features

• Enhanced GUI, including huge changes in the MITM proxy and the Fuzzy Request Editor
• Increased speed by rewriting parts of the thread management code
• Fixed tons of bugs
• Reduced memory usage
• Many plugins were rewritten using different techniques that use less HTTP requests to identify the same vulnerabilities
• Reduced false positives

You can download w3af 1.0-rc3 here:
Windows – w3af-1.0-rc3.exe
Linux/BSD/Mac – w3af-1.0-rc3.tar.bz2

Read More

Andiparos – Open Source Web Application Security Assessment Tool

Andiparos is a fork of the famous Paros Proxy. It is an open source web application security assessment tool that gives penetration testers the ability to spider websites, analyze content, intercept and modify requests, etc.
The author did ask for the original authors of Paros Proxy to integrate his changes but was rejected, hence the fork.
The advantage of Andiparos is mainly the support of Client Certificates on Smartcards. Moreover it has several small interface enhancements, making the life easier for penetration testers…
Features:

• Smartcard support
• History Filter (URLs)
• Tag requests in history
• other small enhancements… 

You can download Andiparos here:
Andiparos-v1.0.tar.gz

Read More

DotDotPwn v1.0 – Directory Traversal Checker/Scanning Tool

A simple PERL tool which detects several Directory Traversal Vulnerabilities on HTTP/FTP Servers. This AttackDB version currently has 871 traversal payloads. This tool was tested against various Kolibri+ WebServer v2.0 and Gefest WebServer v1.0 (HTTP servers) giving good results identifying the right vulnerability strings. Those HTTP servers were vulnerable, and somebody reported those vulns on sites such as exploit-db, but those advisories just reported some (1 or 2) traversal strings with a difference with DotDotPwn which detected between 10 or 20 different attack strings on those vulnerable servers.
Features

• Detects Directory traversal vulnerabilities on remote HTTP/FTP server systems.
• DotDotPwn checks the presence of boot.ini on the vulnerable systems through Directory traversal vulnerabilities, so it is assumed that the tested systems are Windows based HTTP/FTP servers.
• Currently, the traversal database holds 871 attack payloads. Use the -update flag to perform an online fresh update.

Requirements
Perl with support of HTTP::Lite and Net::FTP modules
The full README file is available here.
You can download DotDotPwn v1.0 here:
ddpwn.tar.gz

Read More

Arachni – Web Application Vulnerability Scanning Framework

Arachni is a feature-full and modular Ruby framework that allows penetration testers and administrators to evaluate the security of web applications. Arachni is smart, it trains itself with every HTTP response it receives during the audit process. Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while traveling through each path of a web application’s cyclomatic complexity. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.
The project aims to:

1. Provide a stable and efficient framework
   Developers should be allowed to easily and quickly create and deploy modules with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals. Module writers should be able to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks. Basically, give them the right tools for the job and get the hell out of their way.
2. Be simple
   Well, not simple in general…some parts of the framework are fairly complex. However, the module and report APIs are very similar and very simple.
3. Be developer and user friendly
   Users should be able to make the most out of Arachni without being confused or overwhelmed. Developers unfamiliar with the framework should be able to write working modules and reports immediately after a small glance at an existing one.

You can download arachni v0.1.1 here:
zipball-v0.1.1

Read More

Netsparker Community Edition – Web Application Security Scanner

Netsparker is a Web Application Security Scanner that claims to be False-Positive Free. The developers thought that if you need to investigate every single identified issue manually what’s the point of having an automated scanner? So they developed a new technology which can confirm vulnerabilities on demand which allowed us to develop the first false positive free web application security scanner.

When Netsparker identifies an SQL Injection, it can identify how to exploit it automatically and extract the version information from the application. When the version is successfully extracted Netsparker will report the issue as confirmed so that you can make sure that the issue is not a false-positive.

Same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser.

Thanks to its comprehensive and powerful JavaScript engine it’s possible to simulate a real attacker successfully. This means it can successfully analyse websites that rely on AJAX and JavaScript.

You don’t need to be a security expert, get training or read a long manual to start. Since the user interface is easy to use and can confirm and show you the impact, you can just fire it up and start using it.

You can download Netsparker – Community Edition here:
NetSparkerCommunityEditionSetup.exe

Read More

DAVTest – WebDAV Vulnerability Scanning (Scanner) Tool

When facing off against a WebDAV enabled server, there are two things to find out quickly: can you upload files, and if so, can you execute code?
DAVTest attempts help answer those questions, as well as enable the pentester to quickly gain access to the host. DAVTest tries to upload test files of various extension types (e.g., “.php” or “.txt”), checks if those files were uploaded successfully, and then if they can execute on the server. It also allows for uploading of the files as plain text files and then trying to use the MOVE command to rename them to an executable.
Assuming you can upload an executable, a test file does you no good–so DAVTest can automatically upload a fully functional shell. It ships with shells for PHP, ASP, ASPX, CFM, JSP, CGI, and PL, and dropping a file in the right directory will let you upload any back-door you like.
Features

• Upload with executable extension or .txt
• Checks for successful upload and execution
• Supports MOVE and MKCOL
• Can upload backdoor/shell or arbitrary files
• Basic authentication

DAVTest is written in PERL and licensed under the GPLv3.
You can download DAVTest v1.0 here:
davtest-1.0.zip

Read More

iScanner – Detect & Remove Malicious Code/Web Pages Viruses From Your Linux/Unix Server

iScanner is free open source tool lets you detect and remove malicious codes and web pages viruses from your Linux/Unix server easily and automatically. This is a neat tool for those who have to do some clean up operation after a mass-exploitation or defacement on a shared web-host.
This tool is programmed by iSecur1ty using Ruby programming language and it’s released under the terms of GNU Affero General Public License 3.0.
Features

• Detect malicious codes in web pages. This include hidden iframe tags, javascript, vbscript, activex objects and PHP codee.
• Extensive log shows the infected files and the malicious code.
• Send email reports.
• Ability to clean the infected web pages automatically.
• Easy backup and restore system for the infected files.
• Simple and editable signature based database.
• Ability to update the database and the program easily from dedicated server.
• Very flexible options and easy to use.
• Fast scanner with good performance.

Coming Soon

• Microsoft Windows compatibility.
• Export log in other formats (xml, html).
• Extend the database and make it able to detect malicious files.
• Ability to send infected file to iScanner server for analysis.
• Build remote scanner service with API.

You can download iScanner v0.5 here:
iscanner.tar.gz

Read More

sqlninja v0.2.5 Released – Microsoft SQL Server (MS-SQL) SQL Injection Vulnerability Tool

It’s been 2 years, but a new version of sqlninja is out at Sourceforge, we wrote about the previous release back in 2008 and we’ve actually been following this tool since 2006!
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide an interactive access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
• Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
• Privilege escalation to sysadmin group if ‘sa’ password has been found
• Creation of a custom xp_cmdshell if the original one has been removed
• Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
• Evasion techniques to confuse a few IDS/IPS/WAF
• Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

What’s New?

• Proxy support (it was about time!)
• No more 64k bytes limit in upload mode
• Upload mode is also massively faster
• Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)
• Other minor improvements

Compatibility
It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

• Linux
• FreeBSD
• Mac OS X

You can download sqlninja v0.2.5 here:
sqlninja-0.2.5.tgz

Read More

FOCA – Network Infrastructure Mapping Tool

FOCA 2 has a new algorithm which tries to discover as much info related to network infrastructure as possible. In this alpha version FOCA will add to the figured out network-map, all servers than can be found using a recursive algorithm searching in Google, BING, Reverse IP in BING, Well-known servers and DNS records, using an internal PTR-Scaning, etc

To configure this algorithm you can use the new DNS Search panel and the info extracted will be showed up in three panels:

Domains
IP addresses
PC/Servers

24 May 2010 | 9,096 views

FOCA – Network Infrastructure Mapping Tool

FOCA 2 has a new algorithm which tries to discover as much info related to network infrastructure as possible. In this alpha version FOCA will add to the figured out network-map, all servers than can be found using a recursive algorithm searching in Google, BING, Reverse IP in BING, Well-known servers and DNS records, using an internal PTR-Scaning, etc
To configure this algorithm you can use the new DNS Search panel and the info extracted will be showed up in three panels:

• Domains
• IP addresses
• PC/Servers

ChangeLog 2.0.1:

• Fix error searching EXIF information
• Fix error in DNS Transfer Zone requests

ChangeLog 2.0:

• DNS enumeration added using subdomains Web Search, zone transfer, dictionary and bing IP search.
• Added panels Domains & IP
• Documents grouped by document type
• Used ListView groups
• Better Network Map representation
• Bing only search supported filetype documents
• Fix error analysing metadata

You can read more and download FOCA here.

ChangeLog 2.0.1:

Fix error searching EXIF information
Fix error in DNS Transfer Zone requests

Read More

WhatWeb – Next Gen Web Scanner – Identify CMS (Content Management System)

Identify content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more. When you visit a website in your browser the transaction includes many unseen hints about how the webserver is set up and what software is delivering the webpage. Some of these hints are obvious, eg. “Powered by XYZ” and others are more subtle. WhatWeb recognises these hints and reports what it finds.
WhatWeb has over 80 plugins and needs community support to develop more. Plugins can identify systems with obvious signs removed by looking for subtle clues. For example, a WordPress site might remove the tag but the WordPress plugin also looks for “wp-content” which is less easy to disguise. Plugins are flexible and can return any datatype, for example plugins can return version numbers, email addresses, account ID’s and more.
There are both passive and aggressive plugins, passive plugins use information on the page, in cookies and in the URL to identify the system. A passive request is as light weight as a simple GET / HTTP/1.1 request. Aggressive plugins guess URLs and request more files. Plugins are easy to write, you don’t need to know ruby to make them.
Aggressive plugins can identify versions of Joomla, phpBB, etc by making extra requests to the webserver.
Log Ouput
There are currently 3 types of log output. They are:

• Brief logging
• Full logging
• XML logging

Plugins
There are over 90 plugins as of version 0.4.3. Plugins are easy to make. Matches are made with regular expressions, Google Hack Database queries, and custom ruby code. For now the probability means maybe (25%), probably (75%) and certain (100%).
You can download WhatWeb 0.4.3 here:
whatweb-0.4.3.tar.gz

Read More

Vicnum – Lightweight Vulnerable Web Application

Vicnum is a flexible and vulnerable web application which demonstrates common web security problems such as cross site scripting, sql injections, and session management issues. The program is especially useful to IT auditors honing web security skills and setting up ‘capture the flag’ type exercises.

Being a small web application with no complex framework involved, Vicnum can easily be invoked and tailored to meet a specific need. For example if a test vulnerable application is needed in evaluating a web security scanner or a web application firewall, you might want to control a target web application to see what the scanner can find and what the firewall can protect.

Ultimately the major goal of this project is to strengthen security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app. And of course it’s OK to have a little fun.

The guessing part of the game itself is quite fun too, there’s an online version of Vicnum hosted here:

http://vicnum.ciphertechs.com/

I can guess the number correctly with 1 try every time (that’s an easy one), also got an SQL injection to dump out all the scores recorded. Seeing what else can be done now.

It’s actually quite a fun one to play around with.

You can download Vicnum v1.4 here:

VMvicnum14.zip

Read More

SAHI – Web Automation & Application Security Testing Tool

Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.
Sahi is a tester friendly tool. It abstracts out most difficulties that testers face while automating web applications. Some salient features include excellent recorder, platform and browser independence, no XPaths, no waits, multi-threaded playback, excellent Java interaction and inbuilt reporting.
Features

• Browser and Operating System independent
• Powerful recorder which works across browsers
• Powerful Object Spy
• Intuitive and simple APIs
• Javascript based scripts for good programming control
• Version Controllable text-based scripts
• In-built reports
• In-built multi-threaded or parallel playback of tests
• Tests do not need the browser window to be in focus
• Command line and ant support for integration into build processes
• Supports external proxy, HTTPS, 401 & NTLM authentications
• Supports browser popups and modal dialogs
• Supports AJAX and highly dynamic web applications
• Scripts very robust
• Works on applications with random auto-generated ids
• Very lightweight and scalable
• Supports data-driven testing. Can connect to database, Excel or CSV file.
• Ability to invoke any Java library from scripts

Limitations

• Framesets/pages with frames/iframes loading pages from multiple domains is not supported. Sahi cannot handle pages which have other pages from different domains embedded in them using iframes or frames. So you cannot have a page from google.com having an iframe with a page from yahoo.com. Note that this is not the same as switching between domains, where you navigate from a google.com page to a yahoo.com page, which will work in Sahi.
• File upload field will not be populated on browsers for javascript verification. File upload itself works fine

You can download SAHI here:
sahi_20100302.zip

Read More

WebRaider – Automated Web Application Exploitation Tool

WebRaider is a plugin based automated web application exploitation tool which focuses to get a shell from multiple targets or injection point
Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.

• It’s only one request therefore faster,
• Simple, you don’t need a tool you can do it manually by using your browser or a simple MITM proxy,
• Just copy paste the payload,
• CSRF(able), It’s possible to craft a link and carry out a CSRF attack that will give you a reverse shell,
• It’s not fixed, you can change the payload,
• It’s short, Generally not more than 3.500 characters,
• Doesn’t require any application on the target system like FTP, TFTP or debug.exe,
• Easy to automate.

Dependencies
Internally WebRaider uses Metasploit. The authors use a specific version of Metasploit, they trimmed the fat from Metasploit to launch it faster and make it smaller. You can change the paths and make it work with the latest Metasploit of your own setup.
Also note due to the reverse shells and Metasploit components this software will be detected a virus by AV software.
You can download WebRaider here:
WebRaider-0.2.3.8.zip

Read More

Vicnum – Lightweight Vulnerable Web Application

Vicnum is a flexible and vulnerable web application which demonstrates common web security problems such as cross site scripting, sql injections, and session management issues. The program is especially useful to IT auditors honing web security skills and setting up ‘capture the flag’ type exercises.

Being a small web application with no complex framework involved, Vicnum can easily be invoked and tailored to meet a specific need. For example if a test vulnerable application is needed in evaluating a web security scanner or a web application firewall, you might want to control a target web application to see what the scanner can find and what the firewall can protect.

Ultimately the major goal of this project is to strengthen security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app. And of course it’s OK to have a little fun.

The guessing part of the game itself is quite fun too, there’s an online version of Vicnum hosted here:

http://vicnum.ciphertechs.com/

I can guess the number correctly with 1 try every time (that’s an easy one), also got an SQL injection to dump out all the scores recorded. Seeing what else can be done now.

It’s actually quite a fun one to play around with.

You can download Vicnum v1.4 here:
VMvicnum14.zip

Read More

skipfish – Automated Web Application Security Reconnaissance Tool

The safety of the Internet is of paramount importance to Google, and helping web developers build secure, reliable web applications is an important part of the equation. To advance this goal, Google has released projects such as ratproxy, a passive security assessment tool.
The latest is they have announced a new tool called skipfish – a free, open source, fully automated, active web application security reconnaissance tool.
Key Features

• High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.
• Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
• Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments.
You can download skipfish here:
skipfish-1.10b.tgz

Read More

x5s – Automated XSS Security Testing Assistant

x5s is a Fiddler add-on which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It’s main goal is to help you identify the hotspots where XSS might occur by:

• Detecting where safe encodings were not applied to emitted user-inputs
• Detecting where Unicode character transformations might bypass security filters
• Detecting where non-shortest UTF-8 encodings might bypass security filters

It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected.
The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.
x5s acts as an assistant to the security tester by speeding up the process of parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work by enumerating and injecting canaries into all input fields/parameters sent to an application and analyzing how those canaries were later emitted. E.g. Was the emitted output encoded safely or not? Did an injected character transform to something else?
x5s does not inject XSS payloads – it does not attempt to exploit or confirm an XSS vulnerability. It’s designed to draw your attention to the fields and parameters which seem likely candidates for vulnerability. A security-tester would review the results to find issues where special characters were dangerously transformed or emitted without a safe encoding. This can be done by quickly scanning the results, which have been designed with the intention of providing quick visual inspection. Results filters are also included so the tester could simply click show hotspots to see only the potential problem areas. After identifying a hotspot it’s the tester’s job to perform further validation and XSS testing.
The types of test cases that x5s includes:

1. Traditional test cases – characters typically used to test for XSS injection such as <, >, “,and ‘ which are used to control HTML, CSS, or javascript;
2. Transformable test cases – characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish ‘İ’ which will lower-case to ‘i’ in culture-aware software.
3. Overlong UTF-8 test cases – non-shortest UTF-8 encodings of the ‘traditional’ test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.

You can download x5s here:
x5s v1.0.0 beta

Read More

fimap – Remote & Local File Inclusion (RFI/LFI) Scanner

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but it’s usable.
Features

• Check a Single URL, List of URLs, or Google results fully automatically.
• Can identify and exploit file inclusion bugs.
• Test and exploit multiple bugs
• Has an interactive exploit mode
• Add your own payloads and patches to the config.py file.
• Has a Harvest mode which can collect URLs from a given domain for later pentesting.
• Can use proxies (experimental).

Changes

• All commands will now be send base64 encoded. So you can use quotes as much as you want.
• php://input detection is now 100% reliable.
• You can now define a POST string for relative and absolute files in the config.py.
• TTL implemented. You can define it with “—ttl “. Default is 30 seconds.
• Experimental HTTP Proxy support. You can define a HTTP(s) proxy with “—http-proxy localhost:8080″.
• Googlescanner can now skip the first X pages. Use “—skip-pages X”.
• Lots of bugfixes and additional regular expressions.

Requirements

• Needs: Python >= 2.4

You can download fimap here:
fimap_alpha_v07.tar.gz

Read More

WAFP – Web Application Finger Printing Tool

WAFP is a Web Application Finger Printer written in ruby using a SQLite3 DB.
How it works?
WAFP fetches the files given by the Finger Prints from a webserver and checks if the checksums of those files are matching to the given checksums from the Finger Prints. This way it is able to detect the detailed version and even the build number of a Web Application.
In detail?
A Web Application Finger Print consits of a set of relative file locations in conjunction with their md5sums. It is made based on a production or example installation of a Web Application or just out of an extracted Web Application install files tarball. For this task, generate_wafp_fingerprint.sh is to be used.
WAFP comes with a README and a HOWTO file both containing some descriptions and examples.
Example
A specific fingerprint with verbose mode enabled:

wafp.rb --verbose -p phpmyadmin https://phpmyadmin.example.de

    found the following matches (limited to 10):
   +-------------------------------------------------------------+
    phpmyadmin-2.11.9.1                  296 / 299  (98.99%)
    phpmyadmin-2.11.9.2                  295 / 299  (98.66%)
    phpmyadmin-2.11.9.4                  295 / 299  (98.66%)
    phpmyadmin-2.11.8.1                  295 / 299  (98.66%)
    phpmyadmin-2.11.9.5                  295 / 299  (98.66%)
    phpmyadmin-2.11.8                    295 / 299  (98.66%)
    phpmyadmin-2.11.9.3                  295 / 299  (98.66%)
    phpmyadmin-2.11.9                    295 / 299  (98.66%)
    phpmyadmin-2.11.4                    294 / 299  (98.33%)
    phpmyadmin-2.11.5.2                  294 / 299  (98.33%)

You can download WAFP here:
wafp-0.01-26c3.tar.gz

Read More

Groundspeed 1.1 – Web Application Security Add-on For Firefox

Groundspeed is an open-source Firefox extension for web application security testers presented at the OWASP AppSec DC 2009. It allows you to manipulate the web application’s user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration test.
What can I do with Groundspeed?
Groundspeed allows you to modify the forms and form elements loaded in the page. Some practical uses include:

• Changing the types of form fields, for example you can change hidden fields into text fields so you can easily edit their contents.
• Quickly removing size and length limitations on text fields so you have more space to type your attack strings.
• Changing form target so the form submits in another tab.
• Removing or editing the JavaScript event handlers to bypass client side validation.

You can install Groundspeed here:
https://addons.mozilla.org/en-US/firefox/addon/46698/

Read More

SecuBat – Modular Web Vulnerability Scanner

As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.
Typical web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the web that are vulnerable.
SecuBat is a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities.
Software Requirements

• Windows 2000, XP, 2003 or higher
• .NET Framework 2.0 or higher
• MS SQL Server 2000, 2005, Express, MSDE or higher

Known Issues

• If you schedule a crawling run, you have to restart SecuBat for manually selecting this crawling run for
  an attacking run afterwards if you not choose to do a combined run.
• The XSS variants report a not existing vulnerability if the response page contains the injected string within the title tag.
• The “Attack Report” window shows only attacks with an analysis value greater than 0 (indicating a vulnerability).

You can also find out more from the SecuBat paper published here:
secubat.pdf [PDF]
You can download SecuBat v0.5 here:
SecuBat v0.5.zip

Read More

SWFScan – Free Flash Application Security Scanner

HP SWFScan is a free tool developed by HP Web Security Research Group, which will automatically find security vulnerabilities in applications built on the Flash platform.
HP is offering SWFScan because:

• Their research shows that developers and increasingly implementing applications built on the Adobe Flash platform without the required security expertise.
• As a result, they are seeing a proliferation of insecure applications being deployed on the web.
• A vulnerable application built on the Flash platform widens your website’s attack surface creating more opportunity for malicious hackers.

How SWFScan works and what vulnerabilities it finds:

• Decompiles applications built on the Adobe Flash platform to extract the ActionScript code and statically analyzes it to identify security issues such as information disclosure.
• Identifies and reports insecure programming and deployment practices and suggests solutions.
• Enables you to audit third party applications without requiring access to the source code.

You can download SWFScan here:
SwfScan.msi

Read More

Websecurify – Web Security Testing Framework

Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.
Key Features

1. JavaScript – Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers.
2. Multiple Environments – The core technology can run in normal browsers, xulrunner, xpcshell (command line), inside Java or as part of a custom V8 (Chrome’s JavaScript Engine) build. The core is written with extensibility in mind so that more environments can be supported without changing even a single line of code.
3. Multi-platform – The tool is available and successfully runs on Windows, Mac OS, Linux and other operating systems.
4. Automatic Updates – Every single piece of the tool is subjected to automatic updates. This means that newer and more advanced versions of the tool can be shipped to your front door without you lifting your finger. This however is completely optional. The automatic update can be turned off if needed.
5. Extensions – Because the tool comes wrapped in xulrunner by default (keep in mind that we can support any other JavaScript environment) we benefit from all cool features that Firefox has, such as extensions. Extensions are easy to write and maintain and can customize every single aspect of the tool and there are already tones of resources and documentation, including books and what not, out there to teach you exactly how to do that. We will be providing documentation as well.

You can download Websecurify 0.3 here:
Windows – Websecurify 0.3.exe
Linux – Websecurify 0.3.tgz
Mac – Websecurify 0.3.dmg

Read More

Nikto 2.1.0 Released – Web Server Security Scanning Tool

For those that don’t know, Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Changes

This version has gone through significant rewrites under the hood to how Nikto works, to make it more expandable and usable.

Rewrite to the plugin engine allowing more control of the plugin structure and making it easier to add plugins
Rewrite to the reporting engine allowing reporting plugins to cover more and also ensuring that output is written if Nikto is quit before finishing
Large overhaul of documentation to document built-in methods and variables
Addition of caching to reduce amount of calls made to the web servers, as well as a facility to disable smart 404 guessing.
Addition of simple guessing for whether a system is an embedded device and to report what it is
Plugin to use OWASPs dictionary lists to attempt to brute force directories on the remote web server (as mutate 6)
Plugin to attempt to brute force domains (as mutate 5)
Allow username guessing (mutate 3 and 4) to use a dictionary file as well as brute forcing
Support for NTLM authentication
Lots of bug fixes and new security checks

You can download Nikon 2.1.0 here:
nikto-current.tar.gz

Read More

Yokoso! – Web Infrastructure Fingerprinting & Delivery Tool

Yokoso! is a project focused on creating fingerprinting code that is deliverable through some form of client attack. This can be used during penetration tests that combine network and web applications. One of the most common questions we hear is “so what can you do with XSS?” and we hope that Yokoso! answers that question.
We will creating JavaScript and Flash objects that are able to be delivered via XSS attacks. These code payloads will contain the fingerprinting information used to map out a network and the devices and software it contains.
In basic terms Yokoso! is a collection of infrastructure fingerprints. These fingerprints are useful during penetration tests to determine both what infrastructure is in use and to determine who are the admins of that infrastructure. It is built using the URIs of the web administration interfaces.
You can download Yokoso! v0.1 here:
yokoso.0.1.tar.gz

Read More

Binging (BETA) – Footprinting & Discovery Tool (Google Hacking)

It’s been a while since I’ve seen a tool of this type, back in the heydays of Google Hacking (which became the generic term for information gathering via search engines) there were multiple tools such as Gooscan and Goolag.

Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying power of regular expression. Get your Bing API key and use this tool for your audit, assessment and research.

You can download Binging here:

Binging.zip

Read More

hostmap 0.2 – Automatic Hostname & Virtual Hosts Discovery Tool

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby, licensed under GNU General Public License version 3 (GPLv3). Its goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.
hostmap helps you using several techniques to enumerate all the hostnames associated with an IP address.
Features

• DNS names and virtual hosts enumeration
• Multiple discovery techniques, to read more see documentation.
• Results correlation, aggregation and normalization
• Multithreaded and event based engine
• Platform independent

Changes/New Features in v0.2

• Fully refactored and rewritten in Ruby.
• User requested interrupt (CTRL+C) now is handled.
• Added Rakefile to automatize task. For example readme and API documentation rebuilding.
• Changed info gathering plugin architecture. Now using PlugMan library.
• Added some host names to brute forcing dictionaries.
• Added parsing of alternate subject (subjectAltName) from X.509 certificates.
• Added info gathering plugin using dnshistory.org.
• Added wildcard domains detection.
• Added wildcard X.509 certificate detection.
• Added -d option to use a user supplied list of DNS servers
• Added blacklist for second level TLD (for example co.uk) detection.
• Added an enumeration plugin to use Microsoft Bing via API. API key must be provided in configuration file.
• Added a configuration file (hostmap.conf) to keep user settings.
• Added option –http-ports to specify the ports to check for an HTTP/HTTPS service.

You can see the complete list of changes here.
The user manual is available here – README.pdf [PDF]
You can download hostmap 0.2 here:
hostmap-0.2.tar.gz

Read More

FindDomains v0.1.1 Released – Discover Domains/Sites/Hosts

FindDomains is a multithreaded search engine discovery tool that will be very useful for penetration testers dealing with discovering domain names/web sites/virtual hosts which are located on too many IP addresses. Provides a console interface so you can easily integrate this tool to your pentest automation system.

It retrieves domain names/web sites which are located on specified ip address/hostname.

In order to use FindDomains you need to:

Create an appid from “Bing Developers” at this link.
It’ll be like that : 32AFB589D1C8B4FEC73D4BCB6EA0AD810E0FA2C7
When you have registered an appid, enter it to the “appid.txt” which is in the program directory.

Features

Uses Bing search engine. Works with first 1000 records.
Multithreaded on crawling and DNS resolution.
Performs DNS resolution for extracted domains to eleminate cached/old records.
Has a console interface so it can be very useful with some command-line foo.
Works with Mono. But running under Windows is more efficient.

Sample usage

FindDomains.exe 1.2.3.4

FindDomains.exe www.hotmail.com

Requirements

.NET Framework 3.5. Also working with Mono.

You can dowload FindDomains v.0.1.1 here:
FindDomainsv0.1.1.rar

Read More

sqlmap 0.7 Released – Automatic SQL Injection Tool

For those not familiar with the tool, sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.
Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.
Recent Changes
Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

• Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
• Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
• Reset takeover OOB features (if any of –os-pwn, –os-smbrelay or –os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.
• This make sqlmap 0.7 to work again on Windows too.
• Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
• HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

For a complete list of changes view the ChangeLog.
The manual is available here – README.pdf [PDF]
You can download sqlmap 0.7 here:
Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Read More

Slowloris – HTTP DoS Tool in PERL

This tool has been hitting the news, including some mentions in the SANS ISC Diary.

It’s not actually a new attack (it’s been around since 2005) but this is the first time a packaged tool has been released for the attack.

Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow.

Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site.

So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.

Slowloris lets the webserver return to normal almost instantly (usually within 5 seconds or so). That makes it ideal for certain attacks that may just require a brief down-time.

This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion – fixing one problem created another. This includes but is not necessarily limited to the following:

Apache 1.x
Apache 2.x
dhttpd
GoAhead WebServer
Squid

There are a number of webservers that this doesn’t affect as well, in the authors testing:

IIS6.0
IIS7.0
lighttpd
nginx
Cherokee (verified by user community)

You can download Slowloris here:
slowloris.pl

Read More

Watcher – Passive Analysis Tool For HTTP Web Applications

Watcher is a run time passive-analysis tool for HTTP-based Web applications. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads, cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

Major Features:

Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, and CSS
Works seamlessly with complex Web 2.0 applications while you drive the Web browser
Non-intrusive, will not raise alarms or damage production sites
Real-time analysis and reporting – findings are reported as they’re found, exportable to XML
Configurable domains with wildcard support
Extensible framework for adding new checks

Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com. Watcher works seamlessly with today’s complex Web 2.0 applications by running silently in the background while you drive your browser and interact with the Web-application.

Watcher is built in C# as a small framework with 30+ checks already included. It’s built so that new checks can be easily created to perform custom audits specific to your organizational policies, or to perform more general-purpose security assessments.

You can download Watcher here:
Watcher.zip

Read More

Durzosploit v0.1 – JavaScript Exploit Generation Framework

Durzosploit is a JavaScript exploit generation framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites.
Please note that Durzosploit does not find browser vulnerabilities, it only is an framework containing exploits you can use.
At present there aren’t many exploits:

• twitter.com/update_status – Updates a target’s status
• twitter.com/update_settings – Updates your target’s settings
• facebook.com/what_is_on_your_mind – Write your message in your target’s mind
• drupal/edit_user_profile – Drupal 6.x – edit the profile of the user
• drupal/logout – Drupal 6.x – makes target logout

So far the author’s focus has been on the framework itself; allowing people to quickly write their exploits and adding some automated obfuscators.
Durzosploit provides some obfuscators to automatically pack/minify your generated exploit.
You can download the latest version from the Durzosploit SVN here:

svn co svn://www.engineeringforfun.com/svn/durzosploit/trunk

Read More

Pangolin – Automatic SQL Injection Tool

Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Database Support

• Access: Informations (Database Path; Root Path; Drivers); Data
• MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
• MySql: Informations; Data; FileReader; FileWriter;
• Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
• Informix: Informatons; Data
• DB2: Informatons; Data; and more;
• Sybase: Informatons; Data; and more;
• PostgreSQL: Informatons; Data; FileReader;
• Sqlite: Informatons; Data

At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.

You can download Pangolin here:
pangolin_free_edition_2.1.2.924.rar (Download Page)

Read More

BugSpy – Crawls The Web For Open Source Software Bugs

BugSpy is an interesting web site I came across recently, put together using a Python Framework (django) it aggregates bugs from as many open source projects as it can find. Preferably critical bugs.

You can search by tag (e.g java, email or php ) or by product name (e.g Ubuntu, Typo3 or Samba).
http://bugspy.net/

Read More

Webtunnel 0.0.2 – HTTP Encapsulation and Tunnel Tool

Webtunnel is a network utility that encapsulates arbitrary data in HTTP and transmits it through a web server. In that regard, it is similar to httptunnel, however, it has several key important differences: its server component runs in the context of a web server as a CGI application (with optional FastCGI support) so it does not need its own port, and supports most things that the web server supports, such as authentication, HTTP 1.1, HTTPS, and client certificates; it uses simple requests and responses so it works seamlessly through forward and reverse proxies; it is multi-threaded (actually multi-process using sockets for inter-process communication) to allow multiple parallel connections to multiple destinations simultaneously.

It’s written in Perl and currently supports the tunneling of TCP connections. Future plans include implementations in different languages, mixed tunneling of UDP and pipes (so you can tunnel directly to a shell etc.), configuration features such as access control lists, and transmission options like compression and encryption.

You can download Webtunnel 0.0.2 here:
webtunnel-0.0.2.tgz

Read More

WMAT Released – Web Mail Auth Tool For Testing Web Mail Logins

WMAT is Web Mail Auth Tool that provide some essential functions for testing web mail logins, written in python with support of pyCurl.
How it works?
It is very simple, You give WMAT file with usernames, file with passwords, URL of web mail app and chose pattern for attack. Patterns are XML files that define post/get fields, http method, referer, success tag, etc … for each web mail applications.
There are currently patterns for horde, squirrelmail, kerio and mdaemon web mail.
The XML pattern files look like this:

--- horde.wmat.xml ---
<xml version='1.0' encoding='UTF-8'>
<data>
<username>horde_user</username>
<password>horde_pass</password>
<action_url>login.php</action_url>
<success>sidebar.php</success>
<method>post</method>
<useragent></useragent>
<referer></referer>
<additional_fields></additional_fields>
<author>ivan.markovic@netsec.rs</author>
</data>
-----------------------

The author of WMAT requests for help from the community with the patterns, the author of the pattern will be credited in the author field of the XML file.
There are some more options like setting timeout (time between each request), bell on success and option for writing output in file. More can be seen in the Readme file here.
For future versions the following additions are planned:

• using a proxy
• special addon for generation of usernames/passwords
• automatic recognizer of web app

You can download WMAT here:
wmat.zip
Python source.

Read More

Webshag 1.10 Released – Free Web Server Audit Tool

Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.
You may remember back in March 2008 we published about Webshag 1.00 being released. Now Webshag 1.10 has been released! This new version provides several feature enhancements as well as some bug-fixes.
Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest). In addition to that it proposes innovative IDS evasion functionalities aimed at making correlation between request more complicated (e.g. use a different random per request HTTP proxy server).
It also provides innovative functionalities like the capability of retrieving the list of domain names hosted on a target machine and file fuzzing using dynamically generated filenames (in addition to common list-based fuzzing).
Webshag URL scanner and file fuzzer are aimed at reducing the number of false positives and thus producing cleaner result sets. For this purpose, webshag implements a web page fingerprinting mechanism resistant to content changes. This fingerprinting mechanism is then used in a false positive removal algorithm specially aimed at dealing with “soft 404″ server responses.
Requirements
To be fully functional, Webshag requires the following elements:

• Python 2.5 or Python 2.6 (NOT compatible with Python 3.0)
• wxPython 2.8.9.0 (or greater) GUI toolkit
• Nmap port scanner (for port scanning module only)
• A valid Live Search AppID (for domain information module only)

Just like the previous version, Webshag 1.10 is freely available (GPL license) for Linux and Windows platforms.
You can download Webshag 1.10 here:
Linux – ws110.tar.gz
Windows – ws110.zip
Windows (installer) – ws110_win32installer.zip
User Manual (EN) – ws110_manual.pdf

Read More

sqlsus 0.2 Released – MySQL Injection & Takeover Tool

sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more…
It is designed to maximize the amount of data gathered per web server hit, making the best use of MySQL functions to optimize the available injection space.
sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of them being really specific to this DBMS.
It is not and won’t ever be a SQL injection scanner, it starts its job on the next step.
Both quoted and numeric injections are supported.
All quoted texts can be translated as their hex equivalent (eg : “sqlsus” will become 0x73716c737573)
sqlsus also supports these 2 scenarios of injection :

• sighted : the result of the request will be in the HTML returned by the web server
• blind : when you can’t see the result of the request directly

Support for GET and POST parameters injections.
Support for HTTP proxy and HTTP simple authentication.
Full logging support of your queries and the answers, allowing you to recall a command and its cached answer, even in a later re-use of the session.
Key variables can be edited on the fly, saved per session, and can be loaded in a later session on the same target server.
Requirements
On a Debian system, in addition to perl, you will need the following packages :

• libterm-readline-perl-perl
• libipc-shareable-perl
• libwww-mechanize-perl

It also requires previous SQL injection knowledge, and.. well.. a brain helps.
You can download sqlsus 0.2 here:
sqlsus-0.2.tgz

Read More

ProxyStrike v2.1 Released – Active Web Application Proxy Tool

ProxyStrike is an active Web Application Proxy, is a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that depends heavily on Javascript, not many web scanners did it good in this stage, so we came with this proxy.
Right now it has available SQL injection and XSS modules. Both modules are designed to catch as many vulnerabilities as we can, it’s that why the SQL Injection module is a Python port of the great DarkRaver “Sqlibf”.
The process is very simple, ProxyStrike runs like a passive proxy listening in port 8008 by default, so you have to browse the desired web site setting your browser to use ProxyStrike as a proxy, and ProxyStrike will analyze all the paremeters in background mode. For the user is a passive proxy because you won’t see any different in the behaviour of the application, but in the background is very active.
Features

• Plugin engine (Create your own plugins!)
• Request interceptor
• Request diffing
• Request repeater
• Automatic crawl process
• Save/restore session
• HTTP request/response history
• Request parameter stats
• Request parameter values stats
• Request URL parameter signing and header field signing
• Use of an alternate proxy (tor for example)
• Attack logs
• Export results to HTML or XML
• SQL attacks (plugin)
• Server Side Includes (plugin)
• XSS attacks (plugin)

You can download ProxyStrike v2.1 here:
ProxyStrike-v2.1.zip (Windows)
proxystrike-2.1.tar.bz2 (Linux)

Read More