Showing posts with label OWASP. Show all posts
Showing posts with label OWASP. Show all posts

Friday, 14 February 2014

OWASP Xenotix XSS Exploit Framework v5


OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

Following are the V5 Additions

  • Xenotix Scripting Engine
  • Xenotix API
  • V4.5 Bug Fixes
  • GET Network IP (Information Gathering)
  • QR Code Generator for Xenotix xook
  • HTML5 WebCam Screenshot(Exploitation Module)
  • HTML5 Get Page Screenshot (Exploitation Module)
  • Find Feature in View Source.
  • Improved Payload Count to 1630
  • Name Changes

Xenotix Scripting Engine and API


This release features the Xenotix Scripting Engine that works on the top of Xenotix API. The Scripting Engine helps you to create tools and test cases on the go based on your requirements. There are situations when you have to go the manual way and since the ruleset set of an automated tool is not applicable in certain situations. Xenotix Scripting Engine powered by Xenotix API come into your rescue. Now you can make sure your tool works based on your requirements. Apply your Python scripting skills on the latest Scripting Engine.
Xenotix API features
  • 1630 XSS Detection Payloads.
  • An inbuilt GET Request XSS Fuzzer for Intelligent and Fast XSS Vulnerability Detection.
  • Analyze Response in Trident and Gecko Web Engines to make sure that there are no false positives.
  • Interact with Web Engines from the scope of a Python Script.
  • Make GET and POST Requests with one liner codes.

 Reguirements

Posted by at No comments:
Labels: , , , , , , , ,

Thursday, 13 February 2014

[OWASP iGoat] Security learning tool for iOS developers

The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.

iGoat is available ONLY in source code format, and this is the official repository for that code.

On the Downloads tab here, you will find the full iGoat source tree in tar format, or you can go to the Source tab for instructions on using Mercurial to grab (or clone) the source tree.

Be sure to also check out the Wiki tab here for useful documents related to the iGoat project. 


Posted by at No comments:
Labels: , , , , ,

Tuesday, 7 January 2014

[Xelenium] Security Testing with Selenium


Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool 'Selenium' as its engine and has been built using Java swing.

Xelenium has been designed considering that it should obtain very few inputs from users in the process of discovering the bugs.


Selenium – Webdriver is an open source functional testing tool and is very powerful and flexible. More details on Selenium can be found here: http://seleniumhq.org/

Posted by at No comments:
Labels: , , , , , , , ,

Thursday, 2 January 2014

[DirBuster] Brute Force Directories and Files Names on Web/Application Servers


DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)


Posted by at No comments:
Labels: , , , , , , , , ,

Friday, 20 December 2013

[OWASP CSRFTester] Facilitates Ability to Test Applications for CSRF


OWASP CSRFTester is a tool for testing CSRF vulnerability in websites. Just when developers are starting to run in circles over Cross Site Scripting, the 'sleeping giant' awakes for yet another web-catastrophe. Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws. 
Posted by at No comments:
Labels: , , , , , , , ,

Wednesday, 4 December 2013

[OWASP GoatDroid] Project that will help educate security to application developers Android

OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.


As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well. GoatDroid is composed of the following components:


  • GUI application used to present information, interact with the SDK and control the web services
  • Android applications containing horrifically vulnerable code
  • Embedded Jetty web server
  • Embedded Derby database


Contributions will always be needed in order to keep this project moving at a pace that can support the seemingly endless new problems to tackle. If you are interested, please contact the project's leaders or send an email to the OWASP Mobile Security Project mailing list. We welcome code contributors, beta testers, new feature suggestions, and feedback always!

Posted by at No comments:
Labels: , , , ,

Wednesday, 13 November 2013

OWASP Xenotix XSS Exploit Framework v4.5


Version 4.5 Additions
  • JavaScript Beautifier
  • Pause and Resume support for Scan
  • Jump to Payload
  • Cookie Support for POST Request
  • Cookie Support and Custom Headers for Header Scanner
  • Added TRACE method Support
  • Improved Interface
  • Better Proxy Support
  • WAF Fingerprinting
  • Load Files
  • Hash Calculator
  • Hash Detector

Posted by at No comments:
Labels: , , , , , , , ,

Friday, 20 September 2013

[OWASP Zed Attack Proxy 2.2.1] Tool for finding vulnerabilities in web applications (Now supports CWE)

OWASP Zed Attack Proxy (ZAP) An easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

Some of ZAP’s features:
Some of ZAP’s characteristics:
  • Easy to install (just requires java 1.6)
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Under active development
  • Open source
  • Free (no paid for ‘Pro’ version)
  • Cross platform
  • Involvement actively encouraged
Posted by at No comments:
Labels: , , , , , , ,

Friday, 13 September 2013

[OWASP ZAP] Herramienta de Pentest para encontrar vulnerabilidades en aplicaciones web

OWASP ZAP, una de las herramientas absolutamente indispensable en el arsenal de cualquier pentester, acaba de liberar su versión 2.2.0

Esta fabulosa herramienta, que además es gratuita, no para de progresar y añadir nuevas funcionalidades. Un enorme ¡GRACIAS! a OWASP por hacer que el proyecto crezca y siga adelante.

Esta versión trae interesantes novedades como por ejemplo soporte para Mozilla Zest, un motor de scripting orientado a herramientas de seguridad en entornos web.

Así mismo también han integrado soporte para 'Plug-n-Hack', un estándar promovido por Mozilla para definir una forma elegante y funcional de integrar herramientas de seguridad en el navegador.

Adicionalmente se han hecho -literalmente- un montón de correcciones de fallos y se han añadido nuevas funcionalidades, se puede consultar la lista entera aquí

Y luce tal que así


Fuente: http://www.securitybydefault.com/

Posted by at No comments:
Labels: , , , , ,

Sunday, 8 September 2013

[OWASP Broken Web Applications Project VM v1.1] Collection of vulnerable web applications

The Broken Web Applications (BWA) Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.


The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:
  • Learning about web application security
  • Testing manual assessment techniques
  • Testing automated tools
  • Testing source code analysis tools
  • Observing web attacks
  • Testing WAFs and similar code technologies
  • All the while saving people interested in doing either learning or testing the pain of having to compile, configure, and catalog all of the things normally involved in doing this process from scratch.


Changelog v1.1 (2013-07-30)

  • Updated Mutillidae, Cyclone, and WAVSEP.
  • Updated OWASP Bricks and configured it to pull from SVN.
  • Fixed ModSecurity CRS blocking and rebuilt ModSecurity to include LUA support.
  • Increased VM’s RAM allocation to 1Gb.
  • Set Tomcat to run as root (to allow some traversal issues tested by WAVSEP).
  • Updated landing page for OWASP 1-Liner to reflect that the application is not fully functional.
More Information: here

Posted by at No comments:
Labels: , , ,

Tuesday, 6 August 2013

[OWASP Xenotix XSS Exploit Framework v4 2013] Herramienta para detectar errores de Cross Site Scripting (XSS)


OWASP Xenotix XSS Exploit Framework es un herramienta para detectar errores de Cross Site Scripting (XSS). Xenotic ofrece un scanner triple para los motores de renderizado Trident de IE, WebKit de Chrome, Safari y Opera y Gecko de Mozilla Firefox y tiene más de 1.500 payloads distintivos para detectar eficientemente vulnerabilidades XSS y sobrepasar los WAF más utilizados.

Además, incorpora un módulo de recopilación de información para realizar reconocimiento del objetivo e incluye módulos de explotación ofensivos para realizar pruebas de penetración y pruebas de concepto sobre el mismo.

Módulos de escaneo

  • Manual Mode Scanner
  • Auto Mode Scanner
  • DOM Scanner
  • Multiple Parameter Scanner
  • POST Request Scanner
  • Header Scanner
  • Fuzzer
  • Hidden Parameter Detector 

Information Gathering

  • Victim Fingerprinting
  • Browser Fingerprinting
  • Browser Features Detector
  • Ping Scan
  • Port Scan
  • Internal Network Scan

Explotación

  • Send Message
  • Cookie Thief
  • Phisher
  • Tabnabbing
  • Keylogger
  • HTML5 DDoSer
  • Executable Drive By
  • JavaScript Shell
  • Reverse HTTP WebShell
  • Drive-By Reverse Shell
  • Metasploit Browser Exploit
  • Firefox Reverse Shell Addon (Persistent)
  • Firefox Session Stealer Addon (Persistent)
  • Firefox Keylogger Addon (Persistent)
  • Firefox DDoSer Addon (Persistent)
  • Firefox Linux Credential File Stealer Addon (Persistent)
  • Firefox Download and Execute Addon (Persistent)

Utilidades

  • WebKit Developer Tools
  • Payload Encoder 

Desde aquí se puede descargar el paper de su autor, ver los videos introductorios y la herramienta.


Posted by at No comments:
Labels: , , , , , , , ,

Wednesday, 17 July 2013

[OWASP Zed Attack Proxy 2.1.0] An easy to use integrated penetration testing tool for finding vulnerabilities in web applications


The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.


Some of ZAP's functionality:

Some of ZAP's features:
  • Open source
  • Cross platform
  • Easy to install (just requires java 1.7)
  • Completely free (no paid for 'Pro' version)
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Translated into a dozen languages
  • Community based, with involvement actively encouraged
  • Under active development by an international team of volunteers

It supports the following languages:
  • English
  • Arabic
  • Albanian
  • Brazilian Portuguese
  • Chinese
  • Danish
  • Filipino
  • French
  • German
  • Greek
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Persian
  • Polish
  • Russian
  • Spanish 

Posted by at No comments:
Labels: , , , , , , , ,

Wednesday, 12 June 2013

[OWASP Bricks] Modular Deliberately Vulnerable Web Application

  •  Bricks is a deliberately vulnerable web application built on PHP and MySQL.
  • The project focuses on variations of commonly seen application security vulnerabilities and exploits.
  • Each 'brick' has some sort of vulnerability which can be exploited using tools (Mantra and ZAP).
  • The mission is to 'break the bricks' and thus learn the various aspects of web application security.

 Bricks

Challenge Page URL Documentations
1 Log in page #1 bricks/login-1/ Text, Video
2 File upload page #1 bricks/upload-1/ Text, Video
3 Content page #1 bricks/content-1/ Text, Video
4 Log in page #2 bricks/login-2/ Text, Video
5 Content page #2 bricks/content-2/ Open for public to break.

Road map

  1. Demonstrate maximum variations of most common vulnerabilities
  2. Help people to learn the need of secure codding practices and SSDLC
  3. Attract people to design more bricks
  4. Become a test bed for analyzing the performance of web application security scanners.
  5. Help people learn the manual method of testing the applications
  6. Demonstrate the possibilities of various security tools and techniques
  7. Become a platform to teach web application security in a class room/lab environment. 

Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)