This post talks about process of extracting apk file of any app available in market and then decompiling it to Java source. This can be helpful for those who perform code review (for security vulnerabilities) on apps whose source code is not available. Once Java source code is obtained, we can either do manual code review or run any free/commercial automated code scanners.
Free Web Vulnerability Assessment Tool – CAT
On January - 27 - 2010
Its very rare to find out a good n effective web application security assessment tool and would make it almost impossible if you want it for free. After a long time of hunt, I found one; CAT – Context App Tool. Although its free, it offers a good GUI and powerful features along with the basic ones which comes with a every proxy available.
Features
There are a number of features which CAT has to enable a wide variety of testing to be conducted:
- Request Repeater – Used for repeating a single request
- Proxy – Classic Inline proxy
- Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc.
- Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified.
- Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls.
- SSL Checker – Request a specific page with various SSL ciphers and versions.
- Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc.
- Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer’s rendering engine.
Reasons to use CAT
There are a number of differences between CAT and currently available web proxies. Some key differences are:
- Uses Internet Explorer’s rendering engine for accurate HTML representation
- Supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes
- Integrated SQL Injection and XSS Detection
- Synchronised Proxies for Authentication and Authorisation checking
- Faster due to HTTP connection caching
- SSL Version and Cipher checker using OpenSSL
- Greater flexibility for importing/exporting logs and saving projects
- Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs
- The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
- Free!
SecFox – XSSMe, Automated XSS Detection in Firefox
On September - 3 - 2009
In this part of SecFox series, detection of XSS vulnerabilities with FireFox is explained. Here, we talk about XSSMe addon which can be is used to automate the tests for XSS thereby saving our precious time.
“The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system” – Security Compass
Quickly Create and Compile Batch Files With Portable BatchRun
On April - 26 - 2009
Windows Batch files can be used to automate or to run a sequence of operations. This includes starting multiple applications when windows starts up, clearing temp folder when a shortcut key is clicked, Ending certain unwanted processes etc
Defrag Effectively And Efficiently With SmartDefrag
On March - 1 - 2009
I always hate to use the stock defrag tool which comes bundled with windows, due to couple of reasons 1. It takes hell lot of time to complete the process and 2. It eats up all of my RAM that my PC will be dead for sometime. I’m sure that many would have faced the same problem and one good solution that I can suggest is to use a third party, free defragmentation tool. After a long search I found out one and that is SmartDefrag.
SmartDefrag is one of the best free and award winning defrag tools available in the market.
SmartDefrag Screenshot
AppKeys – Suite of Simple Utilites With AHK
On February - 23 - 2009
AppKeys is a suit of applications built based on AHK scripting language which can be invoked by using various keyboard shortcuts. The shortcuts can be modified by editing the ahk scripts. Running this ahk file will consume very less amount of memory and can run each command almost instantaneously. This suite of apps replaces dozens of applications which needs to be installed otherwise to do the same operations.
Secfox – Hackbar, Audit / Penetration Test Tool in Firefox
On February - 19 - 2009
Hackbar is a tiny toolbar in Firefox with features to aid in application pen-testing. This can be used to perform our security tests quickly and effectively.
Portable Movie Database Which Automatically Fetches Movie Details From IMDB
On February - 16 - 2009
Personal Video Database is a powerful utility for managing your favorite movie collections in your PC. Information related to movie is automatically downloaded from sites like IMDB or Yahoo Movies and are stored in the database, so that it can be viewed offline anytime.
PVD Dissected ScreenshotDissected
3 Ways to Find Broken Links In Your Websites
On February - 11 - 2009
Its very important to ensure that all the pages you have linked in your site are reachable. But its impossible to manually crawl each page and check the status of the links and update accordingly.
In this post I’m listing down 3 types of broken link checkers and its features, a portable one, as a wordpress plugin and an online app. Read this article, choose your link checker and do mention in the comments.
1. Portable Tool – Xenu’s Link Sleuth
Xenu’s Link Sleuth is a free tool which can be used to verify the status of the links in your site. This tool is a must have for any web master/blogger who uses a good amount of external/internal links in their sites.
FileReplicator – Searches and Replaces Multiple files
On January - 5 - 2009
FileReplicator is a handy tool for developers who keep multiple copies of the files in different folders, updates a single file and want to update all of them in a single stroke. This can help in updating a particular folder with the new set of files without having to search the older ones manually. This simple tool can be very much helpful and save pretty amount of time if you frequently update the files and want to maintain consistency all over.
