This post talks about process of extracting apk file of any app available in market and then decompiling it to Java source. This can be helpful for those who perform code review (for security vulnerabilities) on apps whose source code is not available. Once Java source code is obtained, we can either do manual code review or run any free/commercial automated code scanners.
Unzip, Preview and Scan Compressed Files Online
On September - 1 - 2010
WobZIP is a free online tool that allows you to uncompress your files online. It displays the list of files present in that zip file and it allows you to download only the needed files from the archive . If you get hold of any suspicious zip file, instead of downloading to your PC and extracting it to view the contents, you can enter the file URL in WobZip to ensure that its free from any executables. This also has an antivirus scanner which scans the files in the zip on the fly during decompression.
Googles SkipFish – Web App Security Scanner
On April - 5 - 2010
Skipfish is an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Installation on Ubuntu/BackTrack (via Redspin)
Use the following commands in the terminal windows to install and run Skipfish. Replace OUTPUT_FOLDER and TARGETSITE with the domain name and the target’s URL respectively. Also change the wget URL to the URL of the latest version of Skipfish download available.
wget http://skipfish.googlecode.com/files/skipfish-1.29b.tgz tar zxvf skipfish-1.01b.tgz sudo apt-get install libidn11-dev cd skipfish make cp dictionaries/default.wl skipfish.wl ./skipfish -o OUTPUT_FOLDER http://www.TARGETSITE.com
Trial Run
Installed SkipFish and ran on the target site, specs below.
Guest OS : BackTrack4 VM
Host OS : Windows Vista
RAM : 512MB
Application Size : Medium ( < 1000 Unique Pages )
Internet Speed : 1 MBPS
Skipfish Verbose
Skipfish displays the scan run statistics continuously during the run. Once the scan run is complete, we get to see the scan summary (shown in the below screenshot).
Skipfish Console (Click to Enlarge)
Websecurify – Free Web Application Vulnerability Scanner
On April - 2 - 2010
Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. This tool automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.
WebSecurify is available in major OS platforms – Windows, Mac and Linux. Its even available as a Chrome extension.
Post Updated:
- Target site that requires authentication
- Info on Chrome Plugin
3D TraceRoute – The Super Networking Tools Bundle
On September - 19 - 2009
3D TraceRoute is an all-in-one networking tool which has traceroute, whois, ping, nslookup, server header analyser, portscanner, telnet client and hell lot of tools coupled together in a single package.
This is a free portable tool and can run on almost any Windows operating systems (Pro commercial version with enhanced is also available)
Here I’ve documented few of the main features of the free version of this tool; download and experiment with 3D traceroute to get the complete picture of it.
Note: This article is targeted for the readers who have basic understanding or experience with using various networking tools.
Track Changes While Installing Softwares
On March - 23 - 2009
After uninstalling any software which had temporarily installed for testing purpose, will leave some traces in our PC as registry modifications or in the form of flat files in the OS folders. These unwanted files consumes disk space and might ultimately slow down our PC. WhatChanged is a tiny tool which is a must have for people who install and uninstall softwares frequently.
