a4apphack

Chrome is becoming popular among the developers due to its extended support for the upcoming web technologies. If these features of chrome can help the developers to dissect & analyse the newest web applications, so can it for security analysts. Firefox has become so popular among the security guys due to the availability of addons like WebDeveloper/Firebug which can aid them during their security assessments.

The extension Pendule is an attempt to reproduce the features of WebDeveloper Addon for firefox. Currently it doesn’t support all the features of WebDeveloper but expected to incorporate soon.

Pendule - Chrome Extension

Features

1. Form Manipulations

2. View Javascripts

3. Show Image Paths Inline

Download Pendule:

Popularity: 1%

Its very rare to find out a good n effective web application security assessment tool and would make it almost impossible if you want it for free. After a long time of hunt, I found one; CAT – Context App Tool. Although its free, it offers a good GUI and powerful features along with the basic ones which comes with a every proxy available.

Features

There are a number of features which CAT has to enable a wide variety of testing to be conducted:

• Request Repeater – Used for repeating a single request
• Proxy – Classic Inline proxy
• Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc.
• Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified.
• Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls.
• SSL Checker – Request a specific page with various SSL ciphers and versions.
• Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc.
• Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer’s rendering engine.

Reasons to use CAT

There are a number of differences between CAT and currently available web proxies. Some key differences are:

• Uses Internet Explorer’s rendering engine for accurate HTML representation
• Supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes
• Integrated SQL Injection and XSS Detection
• Synchronised Proxies for Authentication and Authorisation checking
• Faster due to HTTP connection caching
• SSL Version and Cipher checker using OpenSSL
• Greater flexibility for importing/exporting logs and saving projects
• Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs
• The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
• Free!

Read the rest of this entry »

Popularity: 1%

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will remove all malicious code (efficient filtering of XSS scripts) with a thoroughly audited, secure yet permissive whitelist.

HTML Comparison Chart

Quick Install

1
2
3
4
5
6

<?php
    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
 
    $purifier = new HTMLPurifier();
    $clean_html = $purifier->purify($dirty_html);
?>

View Before-After XSS Filtering

View Demo: HTML Purifier

Download HTML Purfier : (More Info at: http://htmlpurifier.org/)

Popularity: 1%

Translate any page on the fly in a single click by using a simple bookmarklet. Entire page is translated without a need of reload and it happens in real time. The best part is that ‘Automatic Language Detection’ is enabled by default, so all you have to do is to click on Translate button in the ‘Google Translate’ bar displayed after opening the bookmarklet.

Click on the Translate and notice that the translation progress is displayed

Real Time Translation - In Progress

Read the rest of this entry »

Popularity: 1%

Stay updated with addons discussed in the SecFox series, the most popular section of this blog. For that you need to subscribe to the SecFox addon collection available in the mozilla addons site.

SecFox is collection of addons which can be used to customize any firefox to a security assessment tool. At the time of writing this collection has 40+ addons which can help the web app sec testers during their assessments.

Read the rest of this entry »

Popularity: 2%

In this part of the Secfox series, we will be discussing about the addons that can help us during the app security assessments which involves cookie analysis and manipulation.

These addons can be of huge help when we perform the type of tests mentioned below.

• Cookie Prediction
• Session Fixation
• Cookie Persistence/Expiration
• Broken Session Management

Traditional Method

We use a proxy interceptor like Paros/Burp/WebScarab to trap the HTTP requests and modify the values during its transit. For this to happen, we need to setup a proxy and ensure that it listens to the browser traffic. An additional step is required if the application uses an SSL connection, i.e. to store the Proxy’s forged certificate in the browser. The intercepted request enables us to add new cookies or modify the existing ones. We can also check when exactly are the cookie values issued and whether it is getting flushed upon session expiration.

Usage of Addons

We have various addons for firefox which makes the tasks mentioned above easier. Certain addons allow to view the cookies stored in the browser and others allows us to edit it. The advantage – we don’t need any proxy to do this job, we can view/edit from the browser itself.

View Cookies

This addon adds a tab in the ‘Page Info’ box available on the Firefox context menu.

View Cookies Addon

Download Link:

Add N Edit Cookies

This addon integrates a Cookie Editor to firefox. This also allows us to edit the attributes of the cookie.

Add n Edit Cookies Addon

Download Link:

Read the rest of this entry »

Popularity: 5%

Popularity: 4%

Today I received a mail from the sender ‘India Tax Departament’ that I am yet to receive the tax refund amount. Since I received this in my gmail id, the images weren’t displayed by default. The first this I did was to check the sender email id and it was from ‘wnrlky@aol.com‘. I can assume that this id has been long used for phishing attacks (the id resembles ‘winnerlucky’).

India Income Tax Phishing Mail

Then I enabled the images to check whether he had embedded any government emblems. But to my surprise it was written ‘Australian Government’ . May be this was not targeted to Indians first. After understanding that this is a fraud mail, I wanted to read the entire mail and find out the URL under interest.

Read the rest of this entry »

Popularity: 15%

Web AppSec Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases. This helps you to organize the flow of your testing process and also to ensure that none of the test cases are missed out.

WebApp Sec Checklist

This checklist is completely based on OWASP Testing Guide v 3. The OWASP Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application and web service security issues.

Read the rest of this entry »

Popularity: 9%

Odosketch is an online sketchpad and does not have too many things which clutters your work area. But you have enough to create a mindblowing work of art.

Using Odosketch cant be easier. Just select the crayon type and color you want and start sketching. Once done, it can be saved and shared with other odosketch artists. The saved sketch can be retrieved from our profile later on for further enhancement.

Read the rest of this entry »

Popularity: 6%