Penetration Testing mailing list archives
Tools Update - Third Week of April 2010
From: "SD List" <list () security-database com>
Date: Sun, 25 Apr 2010 10:51:40 +0200 (CEST)
Hello Here is the site's newsletter "Security Database Tools Watch" (http://www.security-database.com/toolswatch). This letter summarizes the articles and news items published since 7 days. New articles -------------------------- ** Security Ninja security tool announcement ** by Tools Tracker Team - 24 April 2010 Security Ninja blog : The tool is the result of me thinking about writing a tool to help people conduct security code reviews for over a year. I had conference presentations to prepare, certification exams to sit and of course a lot of conference speaking slots last year which meant the tool idea had to go on the backburner. The benefit of having this idea going around in my head for so long is that I knew exactly what I wanted the tool to look like and how I wanted it to function before I (...) -> http://www.security-database.com/toolswatch/Security-Ninja-security-tool.html ** HITB Ezine - Issue #002 ** by ToolsTracker - 23 April 2010 Released HITB Magazine. Vol. 1, Issue 2, April 2010. The people of Hack In the Box, decided to make the ezine available for free in the continued spirit of HITB in Keeping Knowledge Free. In addition to the freely available PDF downloads, combined editions of the magazine will be printed in limited quantities for distribution at the various HITBSecConfs around the world - Dubai, Amsterdam and Malaysia. We aim to only print somewhere between 100 or 200 copies (maybe less) per conference so (...) -> http://www.security-database.com/toolswatch/HITB-Ezine-Issue-002.html ** OWASP Code Crawler v2.7 released ** by ToolsTracker - 22 April 2010 A tool aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for "everyone". Version 2.7 Removed unused References and Objects Reduced Noise (.NET Files) Replaced old scanning engine with new multi step engine (Only Stage 1 is active in this release for Single File Scan Only) New DarkMoon IDE (...) -> http://www.security-database.com/toolswatch/OWASP-Code-Crawler-v2-7-released.html ** OpenSCAP v0.5.9 released ** by ToolsTracker - 22 April 2010 The OpenSCAP Project was created to provide an open-source framework to the community which enables integration with the Security Content Automation Protocol (SCAP) suite of standards and capabilities. It is the goal of OpenSCAP to provide a simple, easy to use set of interfaces to serve as the framework for community use of SCAP. Version 0.5.9 built on windows (without probe support) better support on RHEL5 OVAL model validation functionality OVAL, XCCDF xml file validation (...) -> http://www.security-database.com/toolswatch/OpenSCAP-v0-5-9-released.html ** Xplico v0.5.6: VoIP (SIP & RTP) released ** by ToolsTracker - 22 April 2010 The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isnt a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT). Xplico is released under the GNU General Public License. Version 0.5.6 In this version there are new and important features: HTTP (...) -> http://www.security-database.com/toolswatch/Xplico-v0-5-6-VoIP-SIP-RTP.html ** Sandcat v4.0 released ** by ToolsTracker - 20 April 2010 Sandcat allows web administrators to perform aggressive and comprehensive scans of an organizations web server to isolate vulnerabilities and identify security holes. The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities. Version 4.0 Fast and ultra fast scans - Sandcat 4 provides significantly faster scans (500+ requests /sec when running a common web server (...) -> http://www.security-database.com/toolswatch/Sandcat-v4-released.html ** fuzzdb v1.05 - Attack and Discovery Pattern Database ** by ToolsTracker - 19 April 2010 A comprehensive set of fuzzing patterns for discovery and attack during highly targeted brute force testing of web applications. Fuzzdb is a comprehensive set of known attack pattern sequences to be utilized for intelligent brute force testing in order to rapidly identify exploitable conditions in new applications. Primary sources used for attack pattern research: researching old web exploits for repeatable attack strings scraping scanner patterns from http logs various books, (...) -> http://www.security-database.com/toolswatch/fuzzdb-v1-05-Attack-and-Discovery.html ** ReFrameworker v1.1 (Managed Code Rootkit) - released ** by ToolsTracker - 19 April 2010 A Managed Code Rootkit (MCR) is a special type of malicious code that is deployed inside an application level virtual machine such as those employed in managed code environment frameworks Java, .NET, Dalvik, Python, etc. Having the full control of the managed code VM allows the MCR to lie to the upper level application running on top of it, and manipulate the application behavior to perform tasks not indented originally by the software developer. ReFrameworker is a general purpose (...) -> http://www.security-database.com/toolswatch/ReFrameworker-v1-1-Managed-Code.html ** [PDF] OWASP Top 10 for 2010 Final Version ** by ToolsTracker - 19 April 2010 The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. The OWASP Top 10 Web Application Security Risks for 2010 are: A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: (...) -> http://www.security-database.com/toolswatch/PDF-OWASP-Top-10-for-2010-Final.html Regards Security-Database Team ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Tools Update - Last Week of March 2010 SD List (Apr 08)
- Tools Update - Third Week of April 2010 SD List (Apr 26)