This weekend I made the first updates to CodeWatch since releasing it as a free service and am just now getting around to posting a notification. The updates included:
- Minor bugfixes throughout the system.
- Upgrades to the Brakeman scanner for Ruby on Rails vulnerability testing. We were using an outdated version but are now (at the time of this posting) using the latest and greatest .
- I added a plugin that leverages Sigcheck to identify viruses in executable code uploaded to the application. More information can be found here.
A link discussing Retire.js can be found here. To leverage it in a web application penetration test, you will need to:
- Install Node.js from here.
- Install the retire.js plugin with: `npm install -g retire`
`retire –jspath /path/to/httrack/website/download/folder`
To use DependencyCheck, use a similar process (minus Node.js) by including +*.jar files in the “Scan Rules” tab of httrack. Then run DependencyCheck against any downloaded jar files:
`dependency-check.bat –a “AppName” –f HTML –s /path/to/directory/containing/the/jar`
Another thing I like to do is use the Firefox Wappalyzer plugin to identify all the third party components used on a site. Then I load up Burp, spider the site, then right click on the top level site and select “Engagement tools->Search” in the “Targets->Site Map” tab. For each third party component identified by Wappalyzer, I search through the spidered results for version information and then attempt to correlate to any known vulnerabilities.
Hopefully the updates and the information are useful to someone out there!
- Apache Security
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- PHP Security
- Social Engineering
Top TagsASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows