Showing posts with label OWASP. Show all posts
Showing posts with label OWASP. Show all posts

Tuesday, April 29, 2014

OWASP ZAP v2.3.0 - An easy to use integrated penetration testing tool for finding vulnerabilities in web applications



OWASP Zed Attack Proxy (ZAP) An easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

Changelog v2.3.0, highlights

  • A ZAP ‘lite’ version in addition to the existing ‘full’ version
  • View, intercept, manipulate, resend and fuzz client-side (browser) events
  • Enhanced authentication support
  • Support for non standard apps
  • Input Vector scripts
  • Scan policy – fine grained control
  • Advanced Scan dialog
  • Extended command line options
  • More API support
  • Internationalized help file
  • Keyboard shortcuts
  • New UI options
  • More functionality moved to add-ons
  • New and improved active and passive scanning rules

Posted by at No comments:
Labels: , , , , , , , , , , , ,

Saturday, April 26, 2014

IronWASP 2014 - One of the world's best web security scannners


Find security issues on your website automatically using IronWASP, one of the world's best web security scannners.

Here's what is new:

1) Login recording
Now you can easily just record a login sequence and use it in vulnerability scans and other automated tests. See video tutorial.

2) Automatically testing for CSRF, Broken Authentication, Privilege Escalation and Hidden Parameters
Now IronWASP has a new section called Interactive Testing tools that let you automatically discover vulnerabilities that could only be discovered by manual testing.

3) Browser pre-configured for Manual Crawling
The most common problem with intercepting proxies is that you have to change your browser's proxy settings and import the tool's certificate as a trusted CA for SSL traffic. Even after doing this there is change that traffic from your regular browsing will get mixed with your test traffic. IronWASP solves all of these problems, it comes with a browser pre-configured to use IronWASP as proxy, it handles SSL certificate errors automatically (no need to import as CA) and since this is a separate browser it does not affect the regular browsing that you are doing in your other browser. See video.

4) DOM XSS Analyzer
If you understand what DOM XSS sources and sinks are and have the ability to understand and analyse JavaScript code then you will find this new utility really useful. It makes the process of discovering DOM XSS really easy for manual testers. See video tutorial.

5) XmlChor - XPATH Injection Exploitation tool
This version comes with a new Module called XmlChor written by Harshal Jamdade. This module can be used to automatically exploit XPATH Injection vulnerabilities and extract the backend XML file from the server. See video tutorial.

6) WiHawk - WiFi Router Vulnerability Scanner
There version has one more awesome module called WiHawk written by Anamika Singh. This module can be used to scan a range of IP addresses for WiFi routers that have default password and authentication bypass vulnerabilities. It also supports Shodan API to scan large number of devices on the internet. See video tutorial.


Posted by at No comments:
Labels: , , , , , , , , , ,

Friday, April 11, 2014

OWASP ZAP 2.3.0.1 - An easy to use integrated penetration testing tool for finding vulnerabilities in web applications



The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. 

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

Some of ZAP's functionality: 

Some of ZAP's features: 
  • Open source
  • Cross platform
  • Easy to install (just requires java 1.7)
  • Completely free (no paid for 'Pro' version)
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Translated into a dozen languages
  • Community based, with involvement actively encouraged
  • Under active development by an international team of volunteers

It supports the following languages: 
  • English
  • Arabic
  • Albanian
  • Brazilian Portuguese
  • Chinese
  • Danish
  • Filipino
  • French
  • German
  • Greek
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Persian
  • Polish
  • Russian
  • Spanish 


Posted by at No comments:
Labels: , , , , , , , , , , , , ,

Friday, February 14, 2014

OWASP Xenotix XSS Exploit Framework v5


OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

Following are the V5 Additions

  • Xenotix Scripting Engine
  • Xenotix API
  • V4.5 Bug Fixes
  • GET Network IP (Information Gathering)
  • QR Code Generator for Xenotix xook
  • HTML5 WebCam Screenshot(Exploitation Module)
  • HTML5 Get Page Screenshot (Exploitation Module)
  • Find Feature in View Source.
  • Improved Payload Count to 1630
  • Name Changes

Xenotix Scripting Engine and API


This release features the Xenotix Scripting Engine that works on the top of Xenotix API. The Scripting Engine helps you to create tools and test cases on the go based on your requirements. There are situations when you have to go the manual way and since the ruleset set of an automated tool is not applicable in certain situations. Xenotix Scripting Engine powered by Xenotix API come into your rescue. Now you can make sure your tool works based on your requirements. Apply your Python scripting skills on the latest Scripting Engine.
Xenotix API features
  • 1630 XSS Detection Payloads.
  • An inbuilt GET Request XSS Fuzzer for Intelligent and Fast XSS Vulnerability Detection.
  • Analyze Response in Trident and Gecko Web Engines to make sure that there are no false positives.
  • Interact with Web Engines from the scope of a Python Script.
  • Make GET and POST Requests with one liner codes.

 Reguirements

Posted by at No comments:
Labels: , , , , , , , ,

Thursday, February 13, 2014

[OWASP iGoat] Security learning tool for iOS developers

The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.

iGoat is available ONLY in source code format, and this is the official repository for that code.

On the Downloads tab here, you will find the full iGoat source tree in tar format, or you can go to the Source tab for instructions on using Mercurial to grab (or clone) the source tree.

Be sure to also check out the Wiki tab here for useful documents related to the iGoat project. 


Posted by at No comments:
Labels: , , , , ,

Tuesday, January 7, 2014

[Xelenium] Security Testing with Selenium


Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool 'Selenium' as its engine and has been built using Java swing.

Xelenium has been designed considering that it should obtain very few inputs from users in the process of discovering the bugs.


Selenium – Webdriver is an open source functional testing tool and is very powerful and flexible. More details on Selenium can be found here: http://seleniumhq.org/

Posted by at No comments:
Labels: , , , , , , , ,

Thursday, January 2, 2014

[DirBuster] Brute Force Directories and Files Names on Web/Application Servers


DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)


Posted by at No comments:
Labels: , , , , , , , , ,

Friday, December 20, 2013

[OWASP CSRFTester] Facilitates Ability to Test Applications for CSRF


OWASP CSRFTester is a tool for testing CSRF vulnerability in websites. Just when developers are starting to run in circles over Cross Site Scripting, the 'sleeping giant' awakes for yet another web-catastrophe. Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws. 
Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Comments (Atom)