Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Tools Update - Third Week of April 2010

From: "SD List" <list () security-database com>
Date: Sun, 25 Apr 2010 10:51:40 +0200 (CEST)

Hello

Here is the site's newsletter "Security Database Tools Watch"
(http://www.security-database.com/toolswatch).
This letter summarizes the articles and news items published since 7 days.


         New articles
         --------------------------


** Security Ninja security tool announcement **
by  Tools Tracker Team
- 24 April 2010

Security Ninja blog : The tool is the result of me thinking about writing
a tool to help people conduct security code reviews for over a year. I had
conference presentations to prepare, certification exams to sit and of
course a lot of conference speaking slots last year which meant the tool
idea had to go on the backburner. The benefit of having this idea going
around in my head for so long is that I knew exactly what I wanted the tool
to look like and how I wanted it to function before I (...)

->
http://www.security-database.com/toolswatch/Security-Ninja-security-tool.html


** HITB Ezine - Issue #002 **
by  ToolsTracker
- 23 April 2010

Released HITB Magazine. Vol. 1, Issue 2, April 2010.

The people of Hack In the Box, decided to make the ezine available for
free in the continued spirit of HITB in “Keeping Knowledge Free”. In
addition to the freely available PDF downloads, combined editions of the
magazine will be printed in limited quantities for distribution at the
various HITBSecConf’s around the world - Dubai, Amsterdam and Malaysia.
We aim to only print somewhere between 100 or 200 copies (maybe less) per
conference so (...)

-> http://www.security-database.com/toolswatch/HITB-Ezine-Issue-002.html


** OWASP Code Crawler v2.7 released **
by  ToolsTracker
- 22 April 2010

A tool aimed at assisting code review practitioners. It is a static code
review tool which searches for key topics within .NET and J2EE/JAVA code.
The aim of the tool is to accompany the OWASP Code review Guide and to
implement a total code review solution for "everyone".

Version 2.7

Removed unused References and Objects

Reduced Noise (.NET Files)

Replaced old scanning engine with new multi step engine (Only Stage 1 is
active in this release for Single File Scan Only)

New DarkMoon IDE (...)

->
http://www.security-database.com/toolswatch/OWASP-Code-Crawler-v2-7-released.html


** OpenSCAP v0.5.9 released **
by  ToolsTracker
- 22 April 2010

The OpenSCAP Project was created to provide an open-source framework to
the community which enables integration with the Security Content
Automation Protocol (SCAP) suite of standards and capabilities.

It is the goal of OpenSCAP to provide a simple, easy to use set of
interfaces to serve as the framework for community use of SCAP.

Version 0.5.9

built on windows (without probe support)

better support on RHEL5

OVAL model validation functionality

OVAL, XCCDF xml file validation (...)

->
http://www.security-database.com/toolswatch/OpenSCAP-v0-5-9-released.html


** Xplico v0.5.6: VoIP (SIP & RTP) released **
by  ToolsTracker
- 22 April 2010

The goal of Xplico is extract from an internet traffic capture the
applications data contained. For example, from a pcap file Xplico extracts
each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP
call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol
analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Xplico is released under the GNU General Public License.

Version 0.5.6

In this version there are new and important features:

HTTP (...)

->
http://www.security-database.com/toolswatch/Xplico-v0-5-6-VoIP-SIP-RTP.html


** Sandcat v4.0 released **
by  ToolsTracker
- 20 April 2010

Sandcat allows web administrators to perform aggressive and comprehensive
scans of an organization’s web server to isolate vulnerabilities and
identify security holes. The Sandcat scanner requires basic inputs such as
host names, start URLs and port numbers to scan a complete web site and
test all the web applications for security vulnerabilities.

Version 4.0

Fast and ultra fast scans - Sandcat 4 provides significantly faster scans
(500+ requests /sec when running a common web server (...)

-> http://www.security-database.com/toolswatch/Sandcat-v4-released.html


** fuzzdb v1.05 - Attack and Discovery Pattern Database **
by  ToolsTracker
- 19 April 2010

A comprehensive set of fuzzing patterns for discovery and attack during
highly targeted brute force testing of web applications.

Fuzzdb is a comprehensive set of known attack pattern sequences to be
utilized for intelligent brute force testing in order to rapidly identify
exploitable conditions in new applications.

Primary sources used for attack pattern research:

researching old web exploits for repeatable attack strings

scraping scanner patterns from http logs

various books, (...)

->
http://www.security-database.com/toolswatch/fuzzdb-v1-05-Attack-and-Discovery.html


** ReFrameworker v1.1 (Managed Code Rootkit) - released **
by  ToolsTracker
- 19 April 2010

A Managed Code Rootkit (MCR) is a special type of malicious code that is
deployed inside an application level virtual machine such as those employed
in managed code environment frameworks – Java, .NET, Dalvik, Python, etc.


Having the full control of the managed code VM allows the MCR to lie to
the upper level application running on top of it, and manipulate the
application behavior to perform tasks not indented originally by the
software developer.

ReFrameworker is a general purpose (...)

->
http://www.security-database.com/toolswatch/ReFrameworker-v1-1-Managed-Code.html


** [PDF] OWASP Top 10 for 2010 Final Version **
by  ToolsTracker
- 19 April 2010

The OWASP Top Ten provides a powerful awareness document for web
application security. The OWASP Top Ten represents a broad consensus about
what the most critical web application security flaws are. Project members
include a variety of security experts from around the world who have shared
their expertise to produce this list.

The OWASP Top 10 Web Application Security Risks for 2010 are:

A1: Injection

A2: Cross-Site Scripting (XSS)

A3: Broken Authentication and Session Management

A4: (...)

->
http://www.security-database.com/toolswatch/PDF-OWASP-Top-10-for-2010-Final.html

Regards

Security-Database Team


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: