snuck : Automatic XSS filter bypass Tool

snuck is an automated tool that may definitely help in finding XSS vulnerabilities in web applications. It is based on Selenium and supports Mozilla Firefox, Google Chrome and Internet Explorer.

The approach, it adopts, is based on the inspection of the injection's reflection context and relies on a set of specialized and obfuscated attack vectors for filter evasion.

In addition, XSS testing is performed in-browser, a real web browser is driven for reproducing the attacker's behavior and possibly the victim's.

snuck is quite different from typical web security scanners, it basically tries to break a given XSS filter by specializing the injections in order to increase the success rate.

 The attack vectors are selected on the basis of the reflection context, that is the exact point where the injection falls in the reflection web page's DOM. Having access to the pages' DOM is possible through Selenium Web Driver, which is an automation framework, that allows to replicate operations in web browsers. Since many steps could be involved before an XSS filter is "activated", an XML configuration file should be filled in order to make snuck aware of the steps it needs to perform with respect to the tested web application. Practically speaking, the approach is similar to the iSTAR's one, but it focuses on one particular XSS filter.

Download it from here:

Tutorial can be found here:

New features added to Acunetix Web Vulnerability Scanner 8 Build 20120911

vulnerability scanner

New Features and Security checks has been added to the new build 20120911 of Acunetix Web Vulnerability Scanner 8. Also, number of bug has been fixed int his build.

New Features:

  • Ability to import multiple HTTP Sniffer captures to the same crawl.
  • Ability to merge HTTP Sniffer captures to existing website crawls.
  • A new option that allows you to specify a different email address for each configured scan in the scheduler.
  • HTTP Fuzzer number generator now support padding; i.e. you can use a leading zero e.g. from 01 to 10.
  • A new option to specify if the latest cookie from the scanned website should be used rather than the one discovered during the crawling.
  • New option to force scanner not overwrite user specified custom cookies with newer cookies form the scanned website.

New Security Checks:
  • Added a test for .Net Cross Site Scripting (Request Validation Bypassing).
  • New security check for MediaWiki security issues.

The full change log is available here.

How to Upgrade to Build 20120911

On starting Acunetix WVS 8, a pop-up window will automatically notify you that a more recent build is available for download. Navigate to the General > Program Updates node in the Tools explorer, click on Download and Install the new build.

Browser Password Decryptor v2.5 released

SecurityXploded has released the Browser Password Decryptor version 2.5.
Browser Password Decryptor is the FREE software to instantly recover website login passwords stored by popular web browsers.

Here are the top features of BrowserPasswordDecryptor:
  • Instantly decrypt and recover stored encrypted passwords from popular web browsers.
  • Comes with both GUI interface as well as Command-line version.
  • Right Click Context Menu to quickly copy the password
  • Recover password of any length and complexity.
  • Automatically discovers all supported Applications and recovers all the stored passwords.
  • Sort feature to arrange the recovered passwords in various order to make it easier to search through 100's of entries.
  • Save the recovered password list to HTML/XML/Text file
  • Easier and faster to use with its enhanced user friendly GUI interface.

Download it from here 

Volatility Framework 2.1 Released with x64 arch support

The new version of Volatility  2.1 has been released. While the main goal of this release was to get x64 support into an official release, more interesting features has been included in this release.

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

* New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
    Majority of Existing Plugins Updated with x64 Support
    Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21)
    WindowsHiberFileSpace32 Overhaul (also includes x64 Support)
*Expanded Operating System Profiles:
        Windows XP SP1, SP2 and SP3 x86
        Windows XP SP1 and SP2 x64 (there is no SP3 x64)
        Windows Server 2003 SP0, SP1, and SP2 x86
        Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64)
        Windows Vista SP0, SP1, and SP2 x86
        Windows Vista SP0, SP1, and SP2 x64
        Windows Server 2008 SP1 and SP2 x86 (there is no SP0)
        Windows Server 2008 SP1 and SP2 x64 (there is no SP0)
        Windows Server 2008 R2 SP0 and SP1 x64
        Windows 7 SP0 and SP1 x86
        Windows 7 SP0 and SP1 x64
*Plugin Additions (Now Over 70+ Analysis Plugins!):
        Printing Process Environment Variables (envvars)
        Inspecting the Shim Cache (shimcache)
        Profiling Command History and Console Usage (cmdscan, consoles)
        Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
* Plugin Enhancements:
        Verbose details for kdbgscan and kpcrscan
        idt/gdt/timers plugins cycle automatically for each CPU
        apihooks detects LSP/winsock procedure tables
        New Output Formatting Support (Table Rendering)
 *New Mechanism for Profile Modifications
 *New Registry API Support
 *New Volshell Commands
 * Updated Documentation and Command Reference

The next version Volatility 2.2 will be released by developers at the Open Memory Forensics Workshop 2012 on October 2.


Microsoft released Attack Surface Analyzer 1.0

Microsoft has released Attack Surface Analyzer 1.0 which determines the security of an application by examining how it affects the computer it is installed on.

The tools was originally released on January 2011 during the Blackhat DC security conference as Beta version.

According to the press release, the new release includes performance enhancements and bug fixes to improve the user experience. Through improvements in the code, Microsoft reduces the number of false positives and improve Graphic User Interface performance. This release also includes in-depth documentation and guidance to improve ease of use.

"The Attack Surface Analyzer tool is designed to assist independent software vendors (ISVs) and other software developers during the verification phase of the Microsoft Security Development Lifecycle (SDL) as they evaluate the changes their software makes to the attack surface of a computer. " Microsoft explains.

"Because Attack Surface Analyzer does not require source code or symbol access, IT professionals and security auditors can also use the tool to gain a better understanding of the aggregate attack surface change that may result from the introduction of line-of-business (LOB) applications to the Windows platform. "

Tools released at Defcon can crack widely used PPTP encryption in under a day

Security researchers released two tools at the Defcon security conference which can be used to crack the encryption of any PPTP (Point-to-Point Tunneling Protocol) as well as WPA2-Enterprise (Wireless Protected Access) sessions which use MS-CHAPv2 for authentication.

MS-CHAPv2 is an authentication protocol created by Microsoft and introduced in Windows NT 4.0 SP4. Despite its age, it is still used as the primary authentication mechanism by most PPTP virtual private network (VPN) clients.

ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise handshake) and reduce the handshake's security to a single DES (Data Encryption Standard) key.

This DES key can then be submitted to -- a commercial online password cracking service that runs on a special FPGA cracking box developed by David Hulton of Pico Computing -- where it will be decrypted in under a day.

The CloudCracker output can then be used with ChapCrack to decrypt an entire session captured with WireShark or other similar network sniffing tools.

PPTP is commonly used by small and medium-size businesses -- large corporations use other VPN technologies like those provided by Cisco -- and it's also widely used by personal VPN service providers, Marlinspike said.

The researcher gave the example of IPredator, a VPN service from the creators of The Pirate Bay, which is marketed as a solution to evade ISP tracking, but only supports PPTP.

Marlinspike's advice to businesses and VPN providers was to stop using PPTP and switch to other technologies like IPsec or OpenVPN. Companies with wireless network deployments that use WPA2 Enterprise security with MS-CHAPv2 authentication should also switch to an alternative.