a4apphack

Its very rare to find out a good n effective web application security assessment tool and would make it almost impossible if you want it for free. After a long time of hunt, I found one; CAT – Context App Tool. Although its free, it offers a good GUI and powerful features along with the basic ones which comes with a every proxy available.

Features

There are a number of features which CAT has to enable a wide variety of testing to be conducted:

• Request Repeater – Used for repeating a single request
• Proxy – Classic Inline proxy
• Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc.
• Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified.
• Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls.
• SSL Checker – Request a specific page with various SSL ciphers and versions.
• Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc.
• Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer’s rendering engine.

Reasons to use CAT

There are a number of differences between CAT and currently available web proxies. Some key differences are:

• Uses Internet Explorer’s rendering engine for accurate HTML representation
• Supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes
• Integrated SQL Injection and XSS Detection
• Synchronised Proxies for Authentication and Authorisation checking
• Faster due to HTTP connection caching
• SSL Version and Cipher checker using OpenSSL
• Greater flexibility for importing/exporting logs and saving projects
• Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs
• The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
• Free!

Read the rest of this entry »

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will remove all malicious code (efficient filtering of XSS scripts) with a thoroughly audited, secure yet permissive whitelist.

HTML Comparison Chart

Quick Install

1
2
3
4
5
6

<?php
    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
 
    $purifier = new HTMLPurifier();
    $clean_html = $purifier->purify($dirty_html);
?>

View Before-After XSS Filtering

View Demo: HTML Purifier

Download HTML Purfier : (More Info at: http://htmlpurifier.org/)

Translate any page on the fly in a single click by using a simple bookmarklet. Entire page is translated without a need of reload and it happens in real time. The best part is that ‘Automatic Language Detection’ is enabled by default, so all you have to do is to click on Translate button in the ‘Google Translate’ bar displayed after opening the bookmarklet.

Click on the Translate and notice that the translation progress is displayed

Real Time Translation - In Progress

Read the rest of this entry »

Stay updated with addons discussed in the SecFox series, the most popular section of this blog. For that you need to subscribe to the SecFox addon collection available in the mozilla addons site.

SecFox is collection of addons which can be used to customize any firefox to a security assessment tool. At the time of writing this collection has 40+ addons which can help the web app sec testers during their assessments.

Read the rest of this entry »