WEB Crawler

WEB Crawler was designed to be fast, accurate, stable, completely parametrable and the use of advanced techniques to extract links from Javascript and HTML Tags. It works with parametrable timing settings (Timeout, Threading, Max Data Size, Retries) and a number of rules parameters to prevent infinitive loops and pointless scanning (Case Sensitive, Dir Depth, Process Above/Below, Submit Forms, Fetch Indexes/Sitemaps, Max Requests per File/Script Parameters). It is also possible to apply custom headers (user agent, cookies etc) and Include/Exclude Filters. WEB Crawler come with an embedded File/Dir Brute Forcer which helps to directly brute force for files/dirs in the directories found from crawling.

WEB Bruteforcer

WEB Bruteforcer is a brute forcer for files and directories within the web application which helps to identify the hidden structure. It is also multi-threaded and completely parametrable for timing settings (Timeout, Threading, Max Data Size, Retries) and rules (Headers, Base Dir, Brute force Dirs/Files, Recursive, File’s Extension, Send GET/HEAD, Follow Redirects, Process Cookies and List generator configuration).
By default, it will brute force from root / base dir recursively for both files and directories. It sends both HEAD and GET requests when it needs it (HEAD to identify if the file/dir exists and then GET to retrieve the full response).

WEB Fuzzer

WEB Fuzzer is a more advanced tool to create a number of requests based on one initial request. Fuzzer has no limits and can be used to exploit known vulnerabilities such (blind) SQL Inections and more unsual ways such identifing improper input handling, firewall/filtering rules, DOS Attacks.

WEB Editor

A simple WEB Editor to send individual requests. It also contains a HEX Editor for more advanced requests.

WEB Proxy

WEB Proxy is a proxy server running locally and will allow you to analyze, intercept and manipulate HTTP/HTTPS requests coming from your browser or other application which support proxies.

You can download WebSurgery here:

Setup – setup.msi
Portable – websurgery.zip

Or read more here.

For those who are not aware, Arachni is a fully automated system which tries to enforce the fire and forget principle. As soon as a scan is started it will not bother you for anything nor require further user interaction. Upon completion, the scan results will be saved in a file which you can later convert to several different formats (HTML, Plain Text, XML, etc.)

The project was initially started as an educational exercise though it has since evolved into a powerful and modular framework allowing for fast, accurate and flexible security/vulnerability assessments..

More than that, Arachni is highly extend-able allowing for anyone to improve upon it by adding custom components and tailoring most aspects to meet most needs.

The author notified us of a major new release (v0.3) which has some great new features, a few of those being:

• A new custom-written, lightweight Spider
• Add-on support for the WebUI
  • Scan scheduler
  • AutoDeploy — Convert any SSH enabled Linux box into a Dispatcher
• Improved accuracy of differential analysis audits
• Improved accuracy of timing attack audits
• Highly optimized timing attacks

If you are interested in the WebUI aspect you can check out some screenshots here, the more comprehensive ChangeLog is also available here.

For those of you into benchmarking and testing you might be interested to know that during a recent test Arachni was the only (from a long list of commercial and F/OSS systems) that hit 100% on both XSS and SQLi tests in the WAVSEP benchmark:

Commercial Web Application Scanner Benchmark

The author is doing a great job with this tool and rapidly closing the gap between free security scanners and the very expensive commercial options. If you do have any feedback on Arachni v0.3 drop a comment here or hit up the Arachni Google Group.

You can download Arachni v0.3 here:

arachni-v0.3-cde.tar.gz

Or read more here.

The penetration testing platform is the only one of its kind. Websecurify is in effect built on the top of a browser and can understand all modern web technologies including upcoming web standards and current technologies such as HTML5.

Main Features

• Available for all major platforms (Windows, Mac OS, Linux)
• Simple to use user interface
• Builtin internationalization support
• Easily extensible with the help of add-ons and plugins
• Exportable and customisable reports with any level of detail
• Moduler and reusable design
• Powerful manual testing tools and helper facilities
• Team sharing support
• Powerful analytical and scanning technology
• Built-in service and support integration
• Scriptable support for JavaScript and Python
• Extensible via many languages including JavaScript, Python, C, C++ and Java

Websecurify uses several key technologies combined together to achieve the best possible result when performing automatic and manual tests. At the core of the platform sits a Web Browser. This allows Websecurify to gain a fine-grained control over the targeted web application and as such detect vulnerabilities that are difficult to find with other tools.

The carefully engineered user interface is simple to use but powerful. All tools and platform features are integrated with each other. This allows smooth transition from one type of task to another and it also makes it easier to work with the complex flow of data, gathered during the penetration test.

You can download Websecurify here:

Windows: Websecurify%200.8.exe
Mac: Websecurify%200.8.dmg
Linux: Websecurify%200.8.tgz

Or you can read more here.

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Main Features

• Intercepting Proxy
• Automated scanner
• Passive scanner
• Brute Force scanner
• Spider
• Fuzzer
• Port scanner
• Dynamic SSL certificates
• API
• Beanshell integration

What’s New?

A new version has been released, v1.3.0, the release adds the following main features:

• Fuzzing, using the JBroFuzz library
• Dynamic SSL Certificates
• Daemon mode and API
• BeanShell integration
• Full internationalization
• Out of the box support for 10 languages

You can download ZAP v1.3.0 here:

Windows Installer – ZAP_1.3.0_Windows.exe
Linux Installer – ZAP_1.3.0_Linux.tar.gz
Mac OSX Installer – ZAP_1.3.0_Mac_OS_X.zip

Or read more here.

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

A number of commercial and open source tools with analogous functionality is readily available (e.g., Nikto, Websecurify, Netsparker, w3af, Arachni); stick to the one that suits you best. That said, skipfish tries to address some of the common problems associated with web security scanners.

Specific advantages include:

• High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
• Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
• Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

Some users had a problem getting it running, it does have a dependency – assuming you are on a Debian based distro, all you need to do is:

apt-get install libidn11

The minum syntax required to run the tool would be:

./skipfish -o /home/youruser -W dictionaries/standard.wl http://yoursite.com

That should be enough to get you started!

It’s a pretty powerful tool and likely to pick up issues that Nessus or Nikto might miss.

You can download Skipfish 1.94b here:

skipfish-1.94b.tgz

Or read more here.

For the two people here who don’t know what this tool does, Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

And now, we’re happy to announce there’s a new version out and it’s available for download now!

New Features

• The ability to compare site maps
• Functions to help with testing access controls using your browser
• Support for preset request macros
• Session handling rules to help you work with difficult situations
• In-browser rendering of responses from all Burp tools
• Auto recognition and rendering of character sets
• Support for upstream SOCKS proxies
• Headless mode for unattended scripted usage
• Support for more types of redirection
• Support for NTLMv2 and IPv6
• Numerous enhancements to Burp’s extensibility
• Greater stability on OSX

You can download Burp Suite Free Edition v1.4 here:

burpsuite_v1.4.zip

Or read more here.

There are a number of differences between CAT and currently available web proxies. They include:

• CAT uses Internet Explorer’s rendering engine for accurate HTML representation
• It supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no quotes
• It offers integrated SQL Injection and XSS Detection
• Synchronised Proxies for Authentication and Authorisation checking
• Faster performance due to HTTP connection caching
• SSL Version and Cipher checker using OpenSSL
• Greater flexibility for importing/exporting logs and saving projects
• Tabbed Interface allows for multiple tools at once e.g. multiple repeaters & different logs
• The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
• It’s free!

Do bear in mind that this is a free tool, but it is NOT Open Source. Also take a good look at the EULA before using it (especially Section 6).

You can download CAT Beta 4 here:

CAT_Beta_4.msi

Or read more here. (Thanks to reader Simon for the heads-up on this.)

Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process. Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while traveling through the paths of a web application’s cyclomatic complexity. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Finally, Arachni yields great performance due to its asynchronous HTTP model (courtesy of Typhoeus). Thus, you’ll only be limited by the responsiveness of the server under audit and your available bandwidth.

Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc with the addition of custom modules.

Module, report and plugin writers are allowed to easily and quickly create and deploy their components with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals. Furthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.

Although some parts of the Framework are fairly complex you will never have to deal them directly. From a user’s or a component developer’s point of view everything appears simple and straight-forward all the while providing power, performance and flexibility.

There is a new version of Arachni which features numerous optimizations, new modules, new plug-ins and a brand new, although experimental, Web user interface (adding support for distributed deployment, parallel scans and basic report management).

The changelog for this version is extremely long and you can view the full list of changes on the authors blog here – Arachni v0.2.2.1 is out!. You can also view the release changelog here.

All available installation options and usage instructions can be found in the homepage and the GitHub page.

You can watch a screencast of the new WebUI here:

With the new release, there is also the new Arachni Google Group, if you’re hacking or using Arachni and have a related questions you can contact the author and the community here.

You can download Arachni v0.2.2.1 here:

Zapotek-arachni-v0.2.2.1.zip

Or read more here.

How Does It Work?

WATOBO works like a local proxy, similar to Webscarab, Paros or BurpSuite.

Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.

Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.

WATOBO Advantages

• Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
• Can perform vulnerability checks out of the box.
• Supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
• Smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
• Written in (FX)Ruby and enables you to define your own checks
• Free software ( licensed under the GNU General Public License Version 2)

There is an ‘unofficial’ manual here:

WATOBO – the unofficial manual

And some video tutorials to get you started here.

You can download WATOBO 0.9.5 here:

watobo_0.9.5rev226.zip

Or read more here.

Features

• Intercepting proxy
• Automated scanner
• Passive scanner
• Spider

Next Release

The next release of OWASP ZAP, planned for later this year, is expected to include:

• OWASP rebranding
• Improvements to the passive and active automated scanners
• Improvements the Spider
• The addition a basic port scanner
• The ability to brute force files and directories (using components from DirBuster)

ZAP is actually a fork from Paros Proxy.

You can download ZAP v1.0 here:

Cross Platform – ZAP_1.0.0b_installation.tar.gz
Windows Installer – ZAP_1.0.0_installer.exe

Or read more here.