-
-
Binging (Beta)
Binging - Footprinting and Discovery Tool -
Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying power of regular expression. Get your Bing API key and use this tool for your audit, assessment and research.
View more documents from Blueinfy Solutions.
Web2Fuzz (Beta)
Web 2.0 Application Auto Fuzzing tool
This tool helps in fuzzing next generation application running on Web/enterprise 2.0 platform. It can be used with Web2Proxy by harvesting JSON, XML, JS-Object etc. from already profiled HTTP requests. Adding various fuzz loads and injecting them into particular request. One can encode fuzz load in various forms to pollute/poison Web 2.0 streams. It is possible to analyze responses by using various techniques like response behavior, stream structure or patterns. Tool contains sample payload and pdf/slides can help you in giving better understanding of its behavior.View more documents from Blueinfy Solutions.
Web2Proxy (Beta)
Web 2.0 Application Proxy, Profiling and Fuzzing tool
This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can take decision to trap and fuzz requests to identify potential vulnerabilities. This tool needs .NET framework and tested on Windows platform. We are adding several new features to upcoming edition.
AppPrint (Beta)
Web, Application Server and Web 2.0 Fingerprinting tool (Beta)
AppPrint scans IP range, IP or host for Web and Application servers. It scans port 80 for a particular target and tries to deduce the banner using httprint methodology. This gives best guessed banner for Web Server. In next step it uses method of forced plug-in invoke and scan for application server type. At this point it tries to fingerprint Tomcat, WebLogic, WebSphere, Orion, ColdFusion and Resin. It also fingerprints Web 2.0 libraries and components. It requires .NET framework installed. In future version we will build several other technology mapping and fingerprinting technologies like Flash, Laszlo etc. Also, planning to add WAF fingerprinting module.
View more presentations from Blueinfy Solutions.
ScanEx (Beta)
ScanEx - Scanning for iframe and script Injections and External References (Beta)
This is a simple utility which runs against target site and look for external references and cross domain malicious injections. There are several vulnerable sites which get manipulated with these types of injections and compromised. The site gets registered with stopbadware and other databases as well. This tool helps in doing initial scanning to look for obvious injections. At this point it is looking into iframe and script tags as defined in regex file.
web2wall
Web Application/Services Firewall - IHTTPModule for Web 2.0 application
Microsoft‘s .Net framework includes two interfaces - IHTTPModule and IHTTPHandler. These two interfaces can be leveraged to provide application-level defense customized to application-level, folder-level or variable-level. This can act as the first line of defense, before any incoming request touches the Web application source code level. This is Web application defense at the gates, for the .Net framework on IIS.
Web2wall is a simple binary module which can be loaded in your Web 2.0 applications. You can defend your application layer code by using regex patterns; this can help in filtering XML and JSON streams. This tool is in beta and more features will be added with time. We will resolve bugs to make the module much more robust.
AppCodeScan 1.2
Application Code Scanning and Tracing tool
Update - 24th June
This tool is designed to help in performing whitebox testing. During whitebox testing one needs to scan complete application code for various different vulnerabilities like XSS, SQL injection, Poor validations etc. It is possible to discover these vulnerable points using this tool and one can follow code walking across the code base to trace this vulnerability.This tool works on following two areas:
Code Scanning - One needs to feed target code folder, rules pattern in regex (sample is provided for ASP) and list of file extension to scan. The tool will take this information and run against the target folder with depth of three (3) and scan each line for matching pattern. If pattern is found then it will report that line in the tool.
Code Walker - This little utility would help in walking across the code base and find variable or function. This will help to trace variables and their entire path in the large code base. This utility would help in negating false positives from the identified pattern.
This tool runs on .NET framework and still in initial beta state. We are working on it and more features will be added.
You can read on code scanning method written by Shreeraj Shah at Onlamp.
[Go to article]
wsScanner
Web Services Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool
wsScanner is a toolkit for Web Services scanning and vulnerability detection. This tool is having following utilities:
Discovery tool - By leveraging search engine this tool helps in discovering Web Services running on any particular domain or with certain name pattern.
Vulnerability detection - It is possible to enumerate and profile Web Services using this tool and one can follow it up by auto auditing (.NET only). .NET proxy gets dynamically created for audit module. One can do vulnerability scan for data type, SQL injections, LDAP/Command injections, Buffer checks, Bruteforing SOAP etc. It is also possible to leverage regex patterns for SOAP analysis.
Fuzzing - This tool helps in fuzzing different Web 2.0 streams like SOAP, XML-RPC, REST, JSON etc. This module helps in assessing various different Web Services.
UDDI scan - It is possible to scan UDDI servers using this tool for footprinting and discovery of Web Services.
This tool is still in beta and we are planning to add some more features and support. Stay tuned for future releases as well.
scanweb2.0
Web 2.0 Fingerprinting, Scanning and Discovery tools
Scanweb2.0 is a set of ruby scripts which can help in assessing Web 2.0 applications. This is a start point for an assessment. Here is a list of things it can do:
Ajaxfinger - It helps in ajax framework fingerprinting, it is possible to identify frameworks like atlas, dojo, GWT etc using this script.
Flashfinger - One can scan a page for RIA component running with Flash and follow-up assessment is possible. It helps in fingerprinting Laszlo framework as well.
Scanajax - It scans for XSS entry points into JavaScripts and Web 2.0 applications. It is possible to trace these points and discover XSS.
Scanatlas - This script will scan page for atlas reference and discover hidden Web Services.
Urlgrep - This script will fetch all JavaScripts and look for hidden URLs residing in Web 2.0 applications.
AppMap
Application footprinting and mapping tool using MSN APIs
AppMap is very simple tool which runs against MSN using Web APIs over SOAP. It is a desktop based mashup application. One can do following things using it:
Application host footprinting - It uses ip switch to identify virtual hosts.
Application domain footprinting - It uses combination of site, inurl and linkdomain switches for fetching domain and crossdomain applications belongs to one parent domain.
Application crawling - It fetches all links belong to an application from MSN
Application fetching and searching - It runs rule based queries against MSN. One can build a set of rules and fetch the vulnerable URLs from MSN for a target application.
This tool is still in beta and we are planning to add some more features and support. Stay tuned for future releases as well.
