Wednesday, July 10, 2013

CAL9000 - Web Application Security Toolkit / Browser

CAL9000:
                 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

                   CAL9000 is written in JavaScript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features (like executing cross-domain xmlHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a server.



                    CAL9000 is a collection of nine tools that are used to test web applications for security vulnerabilities, specifically cross-site scripting. You can use some of these tools to test other types of vulnerabilities, but the main focus of this toolkit is the cross-site scripting. In this section, we'll take you through the interface CAL9000 and describe each of the below nine tools:


  • XSS Attacks
  • Encode/Decode
  • HTTP Requests
  • HTTP Responses
  • Scratch Pad
  • Cheat Sheets
  • Misc Tools
  • Checklist
  • AutoAttack



                       Show the tool XSS Attacks. This is a dictionary of known XSS Attacks. Click one of the attacks listed in the menu on the left side of the screen, as shown in

 

Features

  • XSS Attacks - This is a listing of the XSS Attack Info from RSnake. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
  • Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Encode only with MD4 and SHA1. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
  • Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
  • Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
  • Scratchpad - A place to save code snippets, notes, results, etc.
  • Cheatsheets - Collection of references for various web-related platforms and languages.
  • IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
  • String Generator - Create character strings of almost any length.
  • Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
  • Testing Tips - Collection of testing ideas for assessments.
  • Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
  • AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
  • Store/Restore - Temporarily hold and retrieve textarea and text field contents.
  • Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
  • Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents. 
ENCODE/DECODE : 

HTTP REQUESTS / RESPONSE :

SCRATCH PAD :

CHEAT SHEETS :
MISC TOOLS :

CHECKLIST :





AUTOATTACK :




For more information:

OWASP CAL9000 Project
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project

http://saei.org/CAL9000/CAL9000/CAL9000.html

Securing PHP Web Applications
http://www.informit.com/store/product.aspx?isbn=0321534344

Web Application Security com CAL9000
http://www.vivaolinux.com.br/dica/Web-Application-Security-com-CAL9000 


Download Link : 


LATEST RELEASE - Version 2.0 released November 16, 2006. See the OWASP CAL9000 Project Roadmap for release notes.



1 comment:

  1. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you gotta watch this video
    right away...

    (VIDEO) Win your ex back with TEXT messages?

    ReplyDelete

Open source Tools for Live Meeting(Web Conferencing)

posts. Guys the most of you find these posts a valuable resource for the e-Learning community. As a result, the following post is Free and Open Source Web Conferencing (Online Meetings, Webinars) Tools for e-Learning.




The following list contains free and open source Web Conferencing tools that are n't in particular order.



Also, you should be sure that the e-Learning community will highly appreciate:

  1. if you post a comment with your experience with these tools and/or,

  2. if you post a comment with a link to any other free and open source Web Conferencing tool.

We support Free eLearning! Do you?



I support Free eLearning




BigBluebutton* is built for Higher Education. It enables universities and colleges to deliver a high-quality learning experience to remote students. BigBlueButton is an active open source project that focuses on usability, modularity, and clean design -- both for the user and the developer. The project is hosted at Google Code. BigBlueButton is built by combining over fourteen open source components.



*note: Epignosis has created a module that provides integration of BigBlueButton conferencing in eFront Open Source Learning Management System. BigBlueButton is a free web-conferencing tool with text chat, audio and video capabilites, a virtual whiteboard and many more presentation and conferencing features.




OpenMeetings is a free browser-based software that allows you to set up instantly a conference in the Web. You can use your microphone or webcam, share documents on a white board, share your screen or record meetings. It is available as hosted service or you download and install a package on your server with no limitations in usage or users.



OpenMeetings Key Features Mini Demo





Mikogo is a free desktop sharing tool full of features to assist you in conducting the perfect online meeting or web conference. Take advantage of the opportunity to share any screen content or application over the Internet in true color quality with up to 10 participants simultaneously, while still sitting at your desk.












Yugma free web conferencing allows anyone, anywhere to instantly share their desktop and ideas online with others. To start hosting your own meetings you have to sign up for FREE. Your Yugma Free web conferencing account allows you to invite up to 20 attendees







Using WebHuddle, you have options and flexibility. Meetings can be conducted either in conjunction with an enterprise’s existing teleconferencing service, or utilizing WebHuddle’s optional voice over IP. WebHuddle also offers recording capabilities -- presentations can easily be recorded for playback over any web browser for those who missed the live meeting.










With Vyew you can give a presentation to a hundred people online or post a document you've been working on for review by your colleagues at the convenience. Vyew is extremely flexible alloying you to bring online collaboration and conferencing into your workflow on your terms.









Dimdim delivers synchronized live presentations, whiteboards and web pages while sharing your voice and video over the Internet - with no download. With the Free edition you can get 10 person meetings, 1 way video, standard support, Dimdim branded rooms, and public meetings.



*note: Epignosis has created a module that provides integration of Dimdim conferencing in eFront  Open Source Learning Management System.




Adobe® ConnectNow is a great way to share ideas, discuss details, and complete work with others all online. Reduce travel costs, save time, and increase productivity with a web conferencing solution that's easy to access and simple to use. ConnectNow operates inside a web browser. There's no installation required, so getting started is easy and Free