CAL9000 - Web Application Security Toolkit / Browser

CAL9000:
                 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

                   CAL9000 is written in JavaScript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features (like executing cross-domain xmlHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a server.

                    CAL9000 is a collection of nine tools that are used to test web applications for security vulnerabilities, specifically cross-site scripting. You can use some of these tools to test other types of vulnerabilities, but the main focus of this toolkit is the cross-site scripting. In this section, we'll take you through the interface CAL9000 and describe each of the below nine tools:

• XSS Attacks
• Encode/Decode
• HTTP Requests
• HTTP Responses
• Scratch Pad
• Cheat Sheets
• Misc Tools
• Checklist
• AutoAttack

                       Show the tool XSS Attacks. This is a dictionary of known XSS Attacks. Click one of the attacks listed in the menu on the left side of the screen, as shown in

 

Features

• XSS Attacks - This is a listing of the XSS Attack Info from RSnake. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
• Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Encode only with MD4 and SHA1. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
• Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
• Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
• Scratchpad - A place to save code snippets, notes, results, etc.
• Cheatsheets - Collection of references for various web-related platforms and languages.
• IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
• String Generator - Create character strings of almost any length.
• Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
• Testing Tips - Collection of testing ideas for assessments.
• Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
• AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
• Store/Restore - Temporarily hold and retrieve textarea and text field contents.
• Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
• Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents. 

ENCODE/DECODE : 

HTTP REQUESTS / RESPONSE :

SCRATCH PAD :

CHEAT SHEETS :

MISC TOOLS :

CHECKLIST :

AUTOATTACK :

For more information:

OWASP CAL9000 Project
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
http://saei.org/CAL9000/CAL9000/CAL9000.html

Securing PHP Web Applications
http://www.informit.com/store/product.aspx?isbn=0321534344

Web Application Security com CAL9000
http://www.vivaolinux.com.br/dica/Web-Application-Security-com-CAL9000 

Download Link : 


LATEST RELEASE - Version 2.0 released November 16, 2006. See the OWASP CAL9000 Project Roadmap for release notes.

• The latest release has been incorporated into the OWASP LiveCD project
• Click here to view the CAL9000 source code. 

OWASP 2013 Top 10 Application Security Risks

A1-Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9-Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Ostinato - IPv4 & IPv6 Packet/Traffic Generator and Analyzer

Ostinato:
                is an open-source, cross-platform network packet crafter/traffic generator and analyzer with a friendly GUI. Craft and send packets of several streams with different protocols at different rates.

Features :

• Runs on Windows, Linux, BSD and Mac OS X (Will probably run on other platforms also with little or no modification but this hasn't been tested)
• Open, edit, replay and save PCAP files
• Support for the most common standard protocols
• Ethernet/802.3/LLC SNAP
• VLAN (with QinQ)
• ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunnelling (6over4, 4over6, 4over4, 6over6)
• TCP, UDP, ICMPv4, ICMPv6, IGMP, MLD
• Any text based protocol (HTTP, SIP, RTSP, NNTP etc.)
• More protocols in the works ...
• Modify any field of any protocol (some protocols allow changing packet fields with every packet at run time e.g. changing IP/MAC addresses)
• User provided Hex Dump - specify some or all bytes in a packet
• User defined script to substitute for an unimplemented protocol (EXPERIMENTAL)
• Stack protocols in any arbitrary order
• Create and configure multiple streams
• Configure stream rates, bursts, no. of packets
• Single client can control and configure multiple ports on multiple computers generating traffic
• Exclusive control of a port to prevent the OS from sending stray packets provides a controlled testing environment
• Statistics Window shows realtime port receive/transmit statistics and rates
• Capture packets and view them (needs Wireshark to view the captured packets)
• Framework to add new protocol builders easil.

Some screenshots :

Stream Configuration -Protocol Selection (Simple Mode)

 Stream Configuration - Stream Control

Stream Configuration -Packet View 

Ostinato aims to be "Wireshark in Reverse" and become complementary to Wireshark.

Here's a screencast showing basic usage -

Download Link : Ostinato 

IPv6 port scanner Tool - Topera

 Topera:
           is a brand new TCP port scanner under IPv6, with the particularity that these scans are not detected by Snort.

                        Snort is the most known IDS/IPS and is widely used in many different critical environments. Some commercial tools (Juniper or Checkpoint ones) use it as detection engine also.

Mocking snort detection capabilities could suppose a high risk in some cases.
   
                          We keep researching on the security implications that the "new" IPv6 protocol will have in different environments.

                      Get local IPv6 address - Get local ethernet interface - sniffer packet counter - Some minor fixes. You can see an example of execution of Topera in demo videos below,

Latest Video :

 Sample Snapshot :

                                   In next pictures you can see some executions screenshots:

 

Topera in TCP port scanner mode:

Run with default options:

# python topera.py -M topera_tcp_scan -t fe80:b100:::c408

Run specifing: ports to scan, delay between connections, and number os extensions headers:

# python topera.py -M topera_tcp_scan -t fe80:b100:::c408 \
-p 21,22,23,80,8080 --scan-delay 0 --headers-num 0 -vvv

Download Link : Topera

Mirror Download Link 1 : Topera
Mirror Download Link 2 : Topera

OWASP - Web Security Training

OWASP - Open Web Application Security Project :

                                               is a open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies.

OWASP Testing Guide :

January 2004
–"The OWASP Testing Guide", Version 1.0

July 14, 2004
–"OWASP Web Application Penetration Checklist", Version 1.1



Download Link : OWASP Ver 1.1


December 25, 2006
–"OWASP Testing Guide", Version 2.0
Download Link  MS- DOC Format : OWASP Ver 2.0  
Download Link PDF-Format   : OWASP Ver 2.0

15th September, 2008

–"OWASP Testing Guide", Version 3.0

Download Link MS-PPT Format : OWASP Ver 3.0
Download Link PDF Format : OWASP Ver 3.0

Video Tutorials :

OWASP AppSec Basics :

OWASP SQL Injection :

OWASP Cross Site Scripting :

OWASP Strict Transport Security :

Setting Up OWASP Web Security Learning Lab with OWASP ZAP :

Installation

Required Software

• Virtual Machine Software - Recommend Free VirtualBox (Win, Mac, Linux)
• OWASP Broken Web Apps VM (Download at official site)
• Web Proxy - Recommend OWASP Zap Proxy
• Web Proxy - Alternative Burp Proxy
• Browser - Recommend Firefox
• Optional - Browser Plugins
• Firebug
• Firecookie

 Setup

1. Install VirtualBox
2. Unzip OWASP Broken Web Apps VM into any directory (don't pick restricted directories that require admin or sudo to access)
3. Open VirtualBox and hit the icon for "New"
• VM Name and OS Type: Enter name "OWASP-BWA" and select OS "Linux" and Version "Ubuntu"
• Memory: Default of 512 is fine
• Virtual Hard Disk: Important Select "Use existing hard disk" and click on the folder.
• Browse to the unzipped folder contents of the OWASP Broken Web Apps VM. Select "OWASP Broken Web Apps.vmdk" Note: There are similar files ending in -s001. Don't pick those.
  
• Click OK to finish VM Setup
4. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and select "Settings" (also available via menu Machine->Settings)
• Go to Settings->Network->Adapter 1.
• Make sure the checkmark for enabled is checked.
• Change "Attached to:" from "NAT: to "Host-Only Adapter"
• Click OK
5. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and hit "Start"
6. After the VM boots the OWASP-BWA login page will provide the following message (the IP address will be similar but not exactly this)

You can access the web apps at http://192.168.56.101


7. Open a browser on your main machine (not the VM) and go to this URL. It should load a page that starts with "OWASP Broken Web Applications"
8. Note: You don't need to actually login to the virtual machine. Everything is already running.

Common Errors

• Boot Up Error Message - Kernel requires feature on CPU: pae
• Power off VM (not VirtualBox, just VM window)
• Right click on OWASP-BWA on left side and select "Settings" (also available via menu Machine->Settings)
• Go to System->Processor and enable PAE
• Click OK and restart VM
• Host Only Adapter Shows Error Message and Name says "not selected" with no options
• Go to the VirtualBox Manager (e.g. the main virtualbox control app, not the individual vm)
• Go to the VirtualBox->Preferences and then select "Network" (note: these are settings for the virtualbox app overall)
• There is text box with the title "Host-only Networks:" it is most likely an empty text area and this is the problem
• Click the plus icon on the right to add a new adapter. You should now see "vboxnet0"
• Click ok and then go back to the VMs preferences. You should be able to select the hostonly adapter now
• Keyboard and mouse trapped in VM
• Mac: Hit the left command button to exit VM control
• Windows: Left Alt??
• Simply click back inside the vm with the mouse to regain keyboard control in the VM

Training PDF : Click Here 

OWASP WebScarab Proxy Training : 

                 
                                      WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

Download

Windows : Click Here  or Alernate Link Click Here

Linux: java -jar ./webscarab-selfcontained-[numbers].jar

Video Training Click Here: http://yehg.net 

Sample Video : 

OWASP Webgoat Training :

                                    WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. 

Download Link : WebGoat V 5.4

Training Documentation :

References to WebGoat documentation or solutions.

• WebGoat on YouTube
• WebGoat Solution Movies

Sample Video : 

Hacking-Lab is providing the FREE OWASP TOP 10 : 

         
                                                    hands-on lab as a service to the OWASP Academy Portal and to the OWASP community. Those training material is reviewed and approved by the OWASP Academy Portal Project members in order to set and maintain an OWASP-worthy training quality.

Installation :

These are the simple steps I followed on a Windows 7 laptop.

• Dowload the Virtual Appliance OVA file to your laptop
• Download and install the Oracle Virtual Box  application onto your laptop
• Double-click the .ova file through Windows Explorer and the appliance import process should commence on the Virtual Box application. You should see something like Fig 1:

Fig. 1: Oracle VM Virtual Box Manager

•  In  theVirtual Box Manager left-hand pane double-click on the LiveCD-Hacking-Lab-V5.55 entry. The LiveCD should start and after a short while  the Welcome screen as shown in Fig 2 should appear.

Fig 2: Welcome Screen

You should be ready to go now at the OWASP Security Training.

Training Videos - Hacking_Lab LiveCD

Video Description	Details
How to use 2 different (attacker/victim) browser instances	Learn how to use 2 different (attacker/victim) browser instances (The Firefox Profiles are available on LiveCD V5.83 and newer)
How to use the ZAP browser in the LiveCD	Tutorial; ZAP Web Inspection Proxy on LiveCD
How to setup a landing page on the LiveCD	Tutorial; ZAP Web Inspection Proxy on LiveCD
How to import LiveCD in VirtualBox	Learn how to import the LiveCD ova file into VirtualBox
How to import LiveCD in VMware	Learn how to import the LiveCD ova file into VMware
Run Hacking-Lab LiveCD with Vmware 8 workstation	Learn how to use the LiveCD ISO with Vmware 8 workstation
Installation of LiveCD in Vmware 8 workstation	Learn how to install the LiveCD ISO in your Vmware 8 workstation
How to open a root shell	Learn how to open a "root" shell
Server side VDI solution	Learn how to use the server side VDI solution

Hacking-Lab Download 

	Documents and Videos
	Hacking-Lab LiveCD

Android Application Vulnerability / Security Assessment Tools & Framework

Android Security Evaluation Framework (ASEF) :
                                               performs this analysis while alerting you about other possible issues. It will make you aware of unusual activities of your apps, will expose vulnerable components and help narrow down suspicious apps for further manual research. The framework will take a set of apps (either pre-installed on a device or as individual APK files) and migrate them to the test suite where it will run it through test cycles on a pre-configured Android Virtual Device (AVD).

                            ASEF is a Open Source Project to perform security analysis of Android Apps by various security measures                         

                            ASEF is an Open Source tool for scanning Android Devices for security evaluation. Users will gain access to security aspects of android apps by using this tool with its default settings. An advanced user can fine-tune this, expand upon this idea by easily integrating more test scenarios, or even find patterns out of the data it already collects. ASEF will provide automated application testing and facilitate a plug and play kind of environment to keep up with the dynamic field of Android Security.

YouTude Videos :

Demo : Running ASEF to test all installed android apps from an android device on an Android Virtual Device

Short Demo : Running ASEF to test all installed android apps from an android device on an another physical android device

 

Download Link : Android Security Evaluation Framework


Tools :

Mercury v1.1 Tool - 

                              bug hunters to find vulnerabilities & write proof-of-concept exploits in Android Application. Simple called as Android Apps Vulnerability Scanner. 

 

                            Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits.

                         Mercury allows you to assume the role of a low-privileged Android app, and to interact with both other apps and the system.

• Use dynamic analysis on Android applications and devices for quicker security assessments
• Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
• Write custom tests and exploits, using the easy extensions interface

Mercury allows you to:

1. Interact with the 4 IPC endpoints - activities, broadcast receivers, content providers and services
2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
3. Find information on installed packages with optional search filters to allow for better control
4. Built-in commands that can check application attack vectors on installed applications
5. Transfer files between the Android device and your computer
6. Create new modules to exploit your latest finding on Android, and playing with those that others have found

                For those of you interested in vulnerabilities in vendor products, the new version is the start of a collection of these in a framework. The first privilege escalation was included, allowing the escalation to root from Mercury’s unprivileged context. A module was created to check for vulnerabilities in content providers discovered on Samsung devices.

Sample results of running this module on a vulnerable version of the Samsung Galaxy SII is shown below:

Running this on the Samsung Galaxy SIII yields the following:
                               

Security consultants Sample Testing :

                  The first set of vulnerabilities found by the MWR team was done manually by reviewing the AndroidManifest.xml of each package on the phone. With Mercury, a combination of the attacksurface command and the the info command in each section will get you the same results in a tenth of the time. If you are interested in looking for common problems on devices, the scanner modules will be of interest to you. As an example, this is scanner.provider.sqlinjection finding SQL injection flaws in default content providers on an Android 4.0.3 Emulator.

                        Don’t get too excited, these SQL injection vulnerabilities don’t lead to any serious information disclosure, but you get the idea right? Don’t just look at content provider problems because these tools are available. Content providers are the tip of the iceberg! Ask us questions or bounce ideas. Create new modules with Mercury. Go forth and innovate!

   Download Link : Mercury v1.1

 

 

Fern Wifi Cracker - Wireless Penetration Testing Tool

Fern Wifi Cracker :
                       is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks

                          

Features

---

Fern Wifi Cracker currently supports the following features:

WEP Cracking with Fragmentation,Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack

WPA/WPA2 Cracking with Dictionary or WPS based attacks

Automatic saving of key in database on successful crack

Automatic Access Point Attack System

Session Hijacking (Passive and Ethernet Modes)

Access Point MAC Address Geo Location Tracking

Internal MITM Engine

Bruteforce Attacks (HTTP,HTTPS,TELNET,FTP)

Update Support

Operating System Supported

The Software runs on any Linux machine with the programs prerequisites, But the program has been tested on the following Linux based operating systems:

Ubuntu KDE/GNOME

BackTrack Linux

BackBox Linux

Prerequisites

The Program requires the following to run properly:
The following dependencies can be installed using the Debian package installer command on Debian based systems using "apt-get install program" or otherwise downloaded and installed manually

Aircrack-NG

Python-Scapy

Python Qt4

Python

Subversion

Xterm

Reaver (for WPS Attacks)

Macchanger

Installation

Installation on Debian Package supported systems:

---

root@host:~# dpkg -i Fern-Wifi-Cracker_1.6_all.deb

---

Screenshot :

Aim 

• Crack the Wifi using Fern Wifi Cracker . 

HOW TO OPEN FERN-WIFI-CRACKER

• To open fern , follow the steps - 
• Backtrack > Exploitation Tools > Wireless Exploitation Tools >WLAN Exploitation >fern-wifi-cracker 
• See the below image for more details - 

SELECT INTERFACE

• First step is to select the interface .
• Here in my case i have selected wlan0 interfaec .
• See the below image for more details - 

SCANNING ACCESS POINT 

• To scan for Access Point click on the 2nd button ( wifi icon ).
• See the below image for more details -
• Once you get the Access Point , various AP's of WEP and WPA are detected .
• See the below image for more details-

 

WPA Cracking with WPS Attack:

Video Tutorial :

Session Hijacking With Fern Wifi Cracker

Bruteforcing Routers with Fern-Wifi-Cracker

 

Download Link : Click Here