Showing posts with label Sandcat Browser. Show all posts
Showing posts with label Sandcat Browser. Show all posts

Thursday, 2 January 2014

[Sandcat Browser 4.4] The fastest web browser combined with the fastest scripting language packed with features for pen-testers


Sandcat Browser is the fastest web browser combined with the fastest scripting language packed with features for pen-testers. Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web browser with extensions support developed by the Syhunt team. The Sandcat Browser is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua programming language to provide extensions and scripting support.

Some of its unique features include:
  • Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
  • Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
  • Resources tab — allows you to view the page resources, such as JavaScript files and other web files.
  • Page Menu extensions — allows you to view details about a page and more.
  • Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities and more.
Features inherited from Chromium include:
  • Multi-Process Architecture — each tab is its own process
  • Developer Tools — in addition to the Chromium Developer Tools, Sandcat comes with a Source Code Editor and its own JavaScript and Lua consoles.

Posted by at No comments:
Labels: , , ,

Monday, 23 September 2013

[Syhunt Sandcat Browser v4.1] A Penetration-oriented browser (extented to Web Application Assessment)


Sandcat Browser 4 brings unique features that are useful for pen-testers and web developers. Sandcat is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua programming language to provide extensions and scripting support.

Features

  • Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
  • Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
  • Resources tab — allows you to view the page resources, such as JavaScript files and other web files.
  • Page Menu extensions — allows you to view details about a page and more.
  • Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities and more.

Pentesting tools

  • Cookies and Cache Viewers
  • JavaScript Executor extension — allows you to load and run external JavaScript files
  • Lua Executor extension — allows you to load and run external Lua scripts
  • Page Menu extensions — allows you to view the page headers, cookies, whois information and more
  • Request Editor extension with request loading capabilities
  • Request Editor (Low-Level version)
  • Request Viewer — allows you to view details about a request or replay a request.
  • Ruby Console extension
  • Sandcat Tasks (Extensions that run as isolated processes):
    • Fuzzer extensions with multiple modes and support for filters
    • CGI Scanner extension
    • HTTP Brute Force
  • Script Runner extension — can execute scripts in a variety of languages
  • Tor Button extension — Anonymity for standard browsing
  • XHR Editor
  • Various Encoders/Decoders, new Sandcat Console commands, security related search engine options, and more
Web application hacking is based on QuickInject
QuickInject is an extensive toolkit for manual web application security assessment. QuickInject allows to tailor injection requests that you can send or load using Sandcat, and can be used for performing a number of different operations, such as URL and POST Data Manipulation, Filter Evasion, as well as Referer and User-Agent Spoofing, and HTTP Header Manipulation. In addition to the capability to build requests, QuickInject can also be used to execute JavaScript in a loaded page. The first release of QuickInject is focused on File Inclusion, XSS and SQL Injection and comes with the following options:
  • SQL Injection functions
    • Filter Evasion – Database-Specific String Escape (CHAR & CHR). Conversion of strings to quoted strings, conversion of spaces to comment tags or new lines
    • Filter Evasion (MySQL-Specific) – String Concatenation, Percent Obfuscation & Integer Representation (eg: ’26′ becomes ‘ceil(pi()*pi())*(!!!pi()+true)+ceil(@@version)’, a technique presented by Johannes Dahse).
    • UNION Statement Maker
    • Quick insertion of common injections covering DB2, Informix, Ingres, MySQL, MSSQL, Oracle & PostgreSQL
  • File Inclusion functions
    • One-Click Log Poisoning
    • Quick Shell Upload code generator
    • PHP String Escape (chr)
  • Cross-Site Scripting (XSS) functions
    • Filter Evasion – JavaScript String Escape (String.fromCharCode), CSS Escape
    • Various handy alert statements for testing for XSS vulnerabilities.
  • Hash functions
    • MD5 Hash Crackers – Built-in (offline) and online MD5 hash crackers
    • Hash Generators – MD5, SHA-1, SHA-2 (224, 256, 384 & 512), GOST, HAVAL (various), MD2, MD4, RIPEMD (128, 160, 256 & 320), Salsa10, Salsa20, Snefru (128 & 256), Tiger (various) & WHIRLPOOL
  • Encoders/Decoders
    • URL Encoder/Decoder
    • Hex Encoder/Decoder – Converts a string or integer to hexadecimal or vice-versa (multiple output formats supported).
    • Base64 Encoder/Decoder
    • CharCode Converter – Converts a string to charcodes (eg: ‘abc’ becomes ’97,98,99′) or vice-versa.
    • IP Obfuscator – Converts an IP to dword, hex or octal.
    • JavaScript Encoders – Such as JJEncode by Yosuke HASEGAWA
  • HTML functions
    • HTML Escape/Unescape
    • HTML Entity Encoder/Decoder – Decimal and hexadecimal HTML entity encoders & decoders
    • JavaScript String Escape
  • Text Manipulation functions – Uppercase, Lowercase, Swap Case, Title Case, Reverse, Shuffle, Strip Slashes, Strip Spaces, Add Slashes, Char Separator
  • Time-Based Blind Injection code – Covering MySQL, MSSQL, Oracle, PostgreSQL, Server-Side JavaScript & MongoDB
  • CRC Calculators – CRC16, CRC32, CRC32b, and more.
  • Classical Ciphers – ROT13 & ROT[N]
  • Checksum Calculators – Adler-32 & Fletcher
  • Buffer Overflow String Creator
  • Random String & Number Generation functions
  • URL Splitter
  • Useful Strings – Math, character sets and more.

Posted by at No comments:
Labels: , , , , , , ,

Wednesday, 29 May 2013

[Sandcat Browser 4.0] The fastest web browser with many useful security and developer oriented tools


Sandcat Browser, The fastest web browser with many useful security and developer oriented tools updated to version 4.0 with the fastest scripting language packed with features for pen-testers.

Sandcat 4 adds a large number of enhancements, new features, extensions and bug fixes, and provides a dramatically improved user experience on several fronts.
Sandcat 4 adds several new pen-tester extensions as part of the new incarnation of its Pen-Tester Tools extension pack. This includes: a Request Loader, a XHR Editor, a XHR Fuzzer, a CGI Scanner, a HTTP Brute Force extension, enhanced request editors, enhanced script runners, and more.

New versions comes with a revamped and enhanced Live Headers. You can now view not only the request headers and response headers but the response of HTTP requests and XHR calls. The captured requests can be viewed, exported to and imported from individual files via its Live Headers bar.

It adds the ability to save the full request details of captured requests as part of a Sandcat Live Headers export file. Also Sandcat 4 comes with an enhanced version of the Sandcat Console, and it is now possible not only to add custom commands, but to create custom consoles.

Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)