web security

DotDotPwn: A Tool for Directory Traversal Checking and Scanning!

September 3, 2010 11:24 am · 0 comments

by Black

in Open Source,Penetration Testing,Security Reconnaissance,Security tools,Web Application Penetration Testing

DotDotPwn is a simple PERL tool which detects several Directory Traversal Vulnerabilities on HTTP/FTP Servers. This AttackDB version currently has 871 traversal payloads. This tool was tested against various Kolibri+ WebServer v2.0 and Gefest WebServer v1.0 (HTTP servers) giving good results identifying the right vulnerability strings. Those HTTP servers were vulnerable, and somebody reported those vulns on sites such as exploit-db, but those advisories just reported some (1 or 2) traversal strings with a difference with DotDotPwn which detected between 10 or 20 different attack strings on those vulnerable servers.

2ad1b0f28a7a777993b9d9d565137001 DotDotPwn: A Tool for Directory Traversal Checking and Scanning!

Features of DotDotPwn:

  • Detects Directory traversal vulnerabilities on remote HTTP/FTP server systems.
  • DotDotPwn checks the presence of boot.ini on the vulnerable systems through Directory traversal vulnerabilities, so it is assumed that the tested systems are Windows based HTTP/FTP servers.
  • Currently, the traversal database holds 871 attack payloads. Use the -update flag to perform an online fresh update.

Sample usage:

  • HTTP:
    • perl ddpwn.pl -http website.com
  • FTP:
    • perl ddpwn.pl -ftp ftphost.com

DotDotPwn is a very useful tool for web application penetration testers, who believe in open-source software. As it is PERL based, we can modify it as per the required environment. Hope there will be a nice front end which surely will make this tool more popular! It is also very easy to update the directory traversal database of this tool!

Requirements:
Perl with support of HTTP::Lite and Net::FTP modules

Download DotDotPwn v1.0 here

Tagged as: , , ,

Be the first to comment!

WebAppTools : Tools for web servers and web applications testing.

August 26, 2010 11:10 am · 0 comments

by Black

in Open Source,Portable,Security tools,Web Application Penetration Testing

The complex of programs and the knowledge base for the vulnerability analysis of the implementations and customizations of web-applications and web-servers.
The given complex is intended for inventory and an security estimation of various (heterogeneous) web-applications. The project is developed with usage of WebEngine kernel.

c9940f9c89bbb64eb8053cc97c0e5b62 WebAppTools : Tools for web servers and web applications testing.

On the Inventory stage the following information about the web-application is collected:

- HTML objects
- used scripts and applications/applets
- links with other sites
- the information about a hosting and a server
- time characteristics (response time) and the data about productivity of the web application

Also, the information about the web application received from indirect sources, such as Whois, Ripe.net, DNS, search sites etc is analyzed. On the stage of the Security Estimation of an application the following information is collected:

- the analysis of customizations of a web server
- the analysis of an source code of the application (PHP, ASP, JS etc.)
- search for the vulnerabilities in the Web-server software
- the analysis of the application stability in the case of different types of attacks, such as SQL injection, XSS, CSRF, Script including, OS commanding etc.
- the analysis of the application stability in the case of DoS attacks
- the analysis of the web-application regarding authentication of users.

The main target audience for the given system is the information security experts, system administrators, hosting-providers and the web-application developers.

We good and efficent opensource tool for codes and security code analyst as per our observations this tool can perform much better if fine tuned according to environment.

Download WebAppTools Here

Searches leading to this post:
tutorial WebAppTools

Tagged as: , , ,

Be the first to comment!

Fiddler XSRF Inspector plugin

June 3, 2010 11:37 am · 0 comments

by Black

in Open Source,Security Reconnaissance,Security tools,Web Application Penetration Testing

Fiddler XSRF Inspector is a plugin for Fiddler 2 that extracts cross-site request forgery attacks from HTTP requests.

More details about the Fiddler web debugger can be found in our post here

4ba1b6183297705ecf93424a39c9c1ec Fiddler XSRF Inspector plugin

How to Install Fiddler XSRF Inspector?
It is very easy to install if you already have installed Fiddler. Otherwise, you need to install Fiddler first and then install the Fiddler XSRF Inspector. Download Fiddler version 2 here.

Copy FiddlerXSRF.dll to the Fiddler 2 Inspectors folder, generally %ProgramFiles%\Fiddler2\Inspectors

How to use Fiddler XSRF Inspector?
- Capture the request that is going to be used to create a cross-site request forgery attack.
- Navigate to the XSRF tab under inspectors to see the generated HTML. If the request uses the POST method, the option to convert it to GET will be available.
- Click the Test button and observe the results.

Operating systems supported:
Windows all version above win 2000 SP4

Download Fiddler XSRF Inspector here

Searches leading to this post:
descarga gratis fiddler v2 3 0 0, descargar fiddler v2 3 0 0, fiddler csrf, Fiddler Inspectors, fiddler plugins, fiddler v2 3 0 0 gratis, how to add plugins to fiddler2, Tools to test XSRF

Tagged as: , , ,

Be the first to comment!

Page 1 of 7123456...Last »