WEB Crawler

WEB Crawler was designed to be fast, accurate, stable, completely parametrable and the use of advanced techniques to extract links from Javascript and HTML Tags. It works with parametrable timing settings (Timeout, Threading, Max Data Size, Retries) and a number of rules parameters to prevent infinitive loops and pointless scanning (Case Sensitive, Dir Depth, Process Above/Below, Submit Forms, Fetch Indexes/Sitemaps, Max Requests per File/Script Parameters). It is also possible to apply custom headers (user agent, cookies etc) and Include/Exclude Filters. WEB Crawler come with an embedded File/Dir Brute Forcer which helps to directly brute force for files/dirs in the directories found from crawling.

WEB Bruteforcer

WEB Bruteforcer is a brute forcer for files and directories within the web application which helps to identify the hidden structure. It is also multi-threaded and completely parametrable for timing settings (Timeout, Threading, Max Data Size, Retries) and rules (Headers, Base Dir, Brute force Dirs/Files, Recursive, File’s Extension, Send GET/HEAD, Follow Redirects, Process Cookies and List generator configuration).
By default, it will brute force from root / base dir recursively for both files and directories. It sends both HEAD and GET requests when it needs it (HEAD to identify if the file/dir exists and then GET to retrieve the full response).

WEB Fuzzer

WEB Fuzzer is a more advanced tool to create a number of requests based on one initial request. Fuzzer has no limits and can be used to exploit known vulnerabilities such (blind) SQL Inections and more unsual ways such identifing improper input handling, firewall/filtering rules, DOS Attacks.

WEB Editor

A simple WEB Editor to send individual requests. It also contains a HEX Editor for more advanced requests.

WEB Proxy

WEB Proxy is a proxy server running locally and will allow you to analyze, intercept and manipulate HTTP/HTTPS requests coming from your browser or other application which support proxies.

You can download WebSurgery here:

Setup – setup.msi
Portable – websurgery.zip

Or read more here.

For those who are not aware, Arachni is a fully automated system which tries to enforce the fire and forget principle. As soon as a scan is started it will not bother you for anything nor require further user interaction. Upon completion, the scan results will be saved in a file which you can later convert to several different formats (HTML, Plain Text, XML, etc.)

The project was initially started as an educational exercise though it has since evolved into a powerful and modular framework allowing for fast, accurate and flexible security/vulnerability assessments..

More than that, Arachni is highly extend-able allowing for anyone to improve upon it by adding custom components and tailoring most aspects to meet most needs.

The author notified us of a major new release (v0.3) which has some great new features, a few of those being:

• A new custom-written, lightweight Spider
• Add-on support for the WebUI
  • Scan scheduler
  • AutoDeploy — Convert any SSH enabled Linux box into a Dispatcher
• Improved accuracy of differential analysis audits
• Improved accuracy of timing attack audits
• Highly optimized timing attacks

If you are interested in the WebUI aspect you can check out some screenshots here, the more comprehensive ChangeLog is also available here.

For those of you into benchmarking and testing you might be interested to know that during a recent test Arachni was the only (from a long list of commercial and F/OSS systems) that hit 100% on both XSS and SQLi tests in the WAVSEP benchmark:

Commercial Web Application Scanner Benchmark

The author is doing a great job with this tool and rapidly closing the gap between free security scanners and the very expensive commercial options. If you do have any feedback on Arachni v0.3 drop a comment here or hit up the Arachni Google Group.

You can download Arachni v0.3 here:

arachni-v0.3-cde.tar.gz

Or read more here.

For the two people here who don’t know what this tool does, Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

And now, we’re happy to announce there’s a new version out and it’s available for download now!

New Features

• The ability to compare site maps
• Functions to help with testing access controls using your browser
• Support for preset request macros
• Session handling rules to help you work with difficult situations
• In-browser rendering of responses from all Burp tools
• Auto recognition and rendering of character sets
• Support for upstream SOCKS proxies
• Headless mode for unattended scripted usage
• Support for more types of redirection
• Support for NTLMv2 and IPv6
• Numerous enhancements to Burp’s extensibility
• Greater stability on OSX

You can download Burp Suite Free Edition v1.4 here:

burpsuite_v1.4.zip

Or read more here.

Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.

Sahi is a tester friendly tool. It abstracts out most difficulties that testers face while automating web applications. Some salient features include excellent recorder, platform and browser independence, no XPaths, no waits, multi-threaded playback, excellent Java interaction and inbuilt reporting.

Features

• Browser and Operating System independent
• Powerful recorder which works across browsers
• Powerful Object Spy
• Intuitive and simple APIs
• Javascript based scripts for good programming control
• Version Controllable text-based scripts
• In-built reports
• In-built multi-threaded or parallel playback of tests
• Tests do not need the browser window to be in focus
• Command line and ant support for integration into build processes
• Supports external proxy, HTTPS, 401 & NTLM authentications
• Supports browser popups and modal dialogs
• Supports AJAX and highly dynamic web applications
• Scripts very robust
• Works on applications with random auto-generated ids
• Very lightweight and scalable
• Supports data-driven testing. Can connect to database, Excel or CSV file.
• Ability to invoke any Java library from scripts

Limitations

• Framesets/pages with frames/iframes loading pages from multiple domains is not supported. Sahi cannot handle pages which have other pages from different domains embedded in them using iframes or frames. So you cannot have a page from google.com having an iframe with a page from yahoo.com. Note that this is not the same as switching between domains, where you navigate from a google.com page to a yahoo.com page, which will work in Sahi.
• File upload field will not be populated on browsers for javascript verification. File upload itself works fine

You can download SAHI here:

sahi_20100302.zip

Or read more here.

Groundspeed is an open-source Firefox extension for web application security testers presented at the OWASP AppSec DC 2009. It allows you to manipulate the web application’s user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration test.

What can I do with Groundspeed?

Groundspeed allows you to modify the forms and form elements loaded in the page. Some practical uses include:

• Changing the types of form fields, for example you can change hidden fields into text fields so you can easily edit their contents.
• Quickly removing size and length limitations on text fields so you have more space to type your attack strings.
• Changing form target so the form submits in another tab.
• Removing or editing the JavaScript event handlers to bypass client side validation.

You can install Groundspeed here:

https://addons.mozilla.org/en-US/firefox/addon/46698/

Or read more here.

SPIKE Proxy is part of the SPIKE Application Testing Suite, It functions as an HTTP and HTTPS proxy, and allows the web developer or web application auditor low level access to the entire web application interface, while also providing a bevy of automated tools and techniques for discovering common problems. These automated tools include:

• Automated SQL Injection Detection
• Web Site Crawling (guaranteed not to crawl sites other than the one being tested)
• Login form brute forcing
• Automated overflow detection
• Automated directory traversal detection

Not all web applications are built in the same ways, and hence, many must be analyzed individually. SPIKE Proxy is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows.

Note: that SPIKE Proxy requires a working install of Python and pyOpenSSL on Linux. This is included in the Windows distribution.

SPIKE is a fairly mature tool having been around since about 2003, we at Darknet use Spike Proxy along with the Burp Suite for web application security analysis.

You can download SPIKE here:

Download for Linux | Download for Windows

Limited information can be found here:

Immunity Free Software