WebSurgery

WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with web application planning and exploitation. Suite currently contains a spectrum of efficient, fast and stable web tools (Crawler, Bruteforcer, Fuzzer, Proxy, Editor) and some extra functionality tools (Scripting Filters, List Generator, External Proxy).


Main Tools
Crawler
  • High Performance Multi-Threading and Completely Parameterized Crawler
  • Extracts Links from HTML / CSS / JavaScript / AJAX / XHR
  • Hidden Structure Identification with Embedded Bruteforcer
  • Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
  • Parameterized Limit Rules (Case Sensitive, Process Above / Below, Dir Depth, Max Same File / Script Parameters / Form Action File)
  • Parameterized Extra Rules (Fetch Indexes / Sitemaps, Submit Forms, Custom Headers)
  • Supports Advanced Filters with Scripting & Regular Expressions (Process, Exclude, Page Not Found, Search Filters)
Bruteforcer
  • High Performance Multi-Threading Bruteforcer for Hidden Structure (Files / Directories)
  • Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
  • Parameterized Rules (Base Dir, Bruteforce Dirs / Files, Recursive, File Extension, Custom Headers)
  • Parameterized Advanced Rules (Send GET / HEAD, Follow Redirects, Process Cookies)
  • Supports Advanced Filters with Scripting & Regular Expressions (Page Not Found, Search Filters)
  • Supports List Generator with Advanced Rules
Fuzzer
  • High Performance Multi-Threading Fuzzer Generates Requests based on Initial Request Template
  • Exploitation for (Blind) SQL Injections, Cross Site Scripting (XSS), Denial of Service (DOS), Bruteforce for Username / Password Authentication Login Forms
  • Identification of Improper Input Handling and Firewall / Filtering Rules
  • Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
  • Parameterized Advanced Rules (Follow Redirects, Process Cookies)
  • Supports Advanced Filters with Scripting & Regular Expressions (Stop / Reset Level, Search Filters)
  • Supports List Generator with Advanced Rules
  • Supports Multiple Lists with Different Levels
Proxy
  • Proxy Server to Analyze, Intercept and Manipulate Traffic
  • Parameterized Listening Interface IP Address & Port Number
  • Supports Advanced Filters with Scripting & Regular Expressions (Process, Intercept, Match-Replace, Search Filters)
Editor
  • Advanced ASCII / HEX Editor to Manipulate Individual Requests
  • Parameterized Timing Settings (Timeout, Max Data Size, Retries)
  • Automatically Fix Request (Content-Length, New Lines at End)
Extra Tools
Scripting Filters
  • Advanced Scripting Filters to Filter Specific Requests / Responses
  • Main Variables (url, proto, hostport, host, port, pathquery, path, query, file, ext)
  • Request Variables (size, hsize, dsize, data, hdata, ddata, method, hasparams, isform)
  • Response Variables (size, hsize, dsize, data, hdata, ddata, status, hasform)
  • Operators =, !=, ~, !~, >=, <=, >, <
  • Conjunctions &, |
  • Supports Reverse Filters and Parenthesis
List Generator
  • List Generator for Different List Types (File, Charset, Numbers, Dates, IP Addresses, Custom)
  • Parameterized Rules (Prefix, Suffix, Case, Reverse, Fixed-Length, Match-Replace)
  • Parameterized Crypto / Hash Rules (URL, URL All, HTML, BASE-64, ASCII, HEX, MD5, SHA-512)
External Proxy
  • External Proxy Redirects Traffic to Another Proxy
  • Supports Non-Authenticated Proxies (HTTP, SOCKS4, SOCKS5)
  • Supports Authenticated Proxies (HTTP Basic, SOCKS5 Username/Password)
  • Supports DNS Lookups at Proxy Side
          

0 comments:

Never Forget To Say Thanks :D

sqlmap [SQL Injection Tool]

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

[Download]

0 comments:

Never Forget To Say Thanks :D

Wapiti 2.3.0

Wapiti allows you to audit the security of your web applications.

It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.


Wapiti can detect the following vulnerabilities :
  • File disclosure (Local and remote include/require, fopen, readfile...)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) injection (reflected and permanent)
  • Command Execution detection (eval(), system(), passtru()...)
  • CRLF Injection (HTTP Response Splitting, session fixation...)
  • XXE (XmleXternal Entity) injection
  • Use of know potentially dangerous files (thanks to the Nikto database)
  • Weak .htaccess configurations that can be bypassed
  • Presence of backup files giving sensitive information (source code disclosure)
Wapiti supports both GET and POST HTTP methods for attacks.
It also supports multipart and can inject payloads in filenames (upload).
Display a warning when an anomaly is found (for example 500 errors and timeouts)
Makes the difference beetween permanent and reflected XSS vulnerabilities.

General features :
  • Generates vulnerability reports in various formats (HTML, XML, JSON, TXT...)
  • Can suspend and resume a scan or an attack
  • Can give you colors in the terminal to highlight vulnerabilities
  • Different levels of verbosity
  • Fast and easy way to activate/deactivate attack modules
  • Adding a payload can be as easy as adding a line to a text file
Browsing features

  • Support HTTP and HTTPS proxies
  • Authentication via several methods : Basic, Digest, Kerberos or NTLM
  • Ability to restrain the scope of the scan (domain, folder, webpage)
  • Automatic removal of a parameter in URLs
  • Safeguards against scan endless-loops (max number of values for a parameter)
  • Possibility to set the first URLs to explore (even if not in scope)
  • Can exclude some URLs of the scan and attacks (eg: logout URL)
  • Import of cookies (get them with the wapiti-cookie and wapiti-getcookie tools)
  • Can activate / deactivate SSL certificates verification
  • Extract URLs from Flash SWF files
  • Try to extract URLs from javascript (very basic JS interpreter)
  • HTML5 aware (understand recent HTML tags)
  • Wapiti is a command-line application.

    Here is an exemple of output against a vulnerable web application.
    You may find some useful informations in the README and the INSTALL files.

    0 comments:

    Never Forget To Say Thanks :D

    OWASP GoatDroid

    OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.
    As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.
    GoatDroid is composed of the following components:
    • GUI application used to present information, interact with the SDK and control the web services
    • Android applications containing horrifically vulnerable code
    • Embedded Jetty web server
    • Embedded Derby database
    Contributions will always be needed in order to keep this project moving at a pace that can support the seemingly endless new problems to tackle. If you are interested, please contact the project's leaders or send an email to the OWASP Mobile Security Project mailing list. We welcome code contributors, beta testers, new feature suggestions, and feedback always!
    To get started, follow the steps in the Getting Started tutorial: https://github.com/jackMannino/OWASP-GoatDroid-Project/wiki/Getting-Started
    The latest version of GoatDroid can be downloaded here: https://github.com/jackMannino/OWASP-GoatDroid-Project/downloads

    0 comments:

    Never Forget To Say Thanks :D

    Sandboxie

    Sandboxie enables you to easily sandbox your browser and other programs, it runs your applications in an isolated abstraction area called a sandbox. Under the supervision of Sandboxie, an application operates normally and at full speed, but can’t effect permanent changes to your computer. Instead, the changes are effected only in the sandbox.
    For those too lazy to set up a full on vm image for testing stuff, this is a pretty good alternative.

    Benefits of the Isolated Sandbox
    Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.
    Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don’t leak into Windows.
    Secure E-mail: Viruses and other malicious software that might be hiding in your email can’t break out of the sandbox and can’t infect your real system.
    Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.
    Registration is optional but there is a nag screen after 30 days.

    0 comments:

    Never Forget To Say Thanks :D

    Gnome Dark 12.04

    Description

    Gnome Dark 12.04 64 bit
    This is my new Distro Respin Based off Penguy O.S. I loaded tons of icons and themes, Wallparers all pre-loaded out the box.This also has the the new dsktop Cinnamon 1.6
    environment. This has a lot of anonymous themes. I am not part of Anonymous just loved the movie v for vendetta.I would recommend trying this on virtual box or usb boot-loader.I hope you enjoy my work Please shoot a donation if like to see more distros like this. Thanks, Jesse

    Features

        PreLoaded Icons
        PreLoaded Themes
        Cinnamon 1.6
        Gnome 3.4.2
        Cairo (tweaked)
        Conky
        Splash screen changer
        Tweaked out O.S
        Dark Themes

    [screenshot]

    Download Here

    0 comments:

    Never Forget To Say Thanks :D

    Copyright © 2013 Hacking Tools and Tech eBooks Collection and Blogger Templates - Anime OST.