Web application security .

Tags:

Post on 16-Dec-2015

220 Views

Category:

Documents

3 Downloads

Preview:

Click to see full reader

Transcript

Web application securityhttp://zeleet.com/security.htm

Web security tools that are on the web

Goals• Save time• Build a clean interface (Based on JQuery)• Accessible anywhere• Help other pen-testers

Limitations• Optimized for IE for now (personal project)

CSRF POC Helper What does it do?

• Automates x-domain post via link

• Linked page auto-submits form to make x-domain post.

Why?• Demonstrates CSRF in POST

just as dangerous as GET.

Web Text Converter What does it do?

• Generates Encoded Payloads Why?

• Save time! • Accessible!• Encoders supports:

Various base entity encoding Url encoding Various base script encoding Base 64 encoding Obfuscated Ascii encoding Regular UTF-7 Comprehensive UTF-7

Heap Spray Wizard What does it do?

• Sprays your heap with default payload to run calc.exe or provide your own shellcode.

Why?• Meant to be used with AX

tools• Configure how much heap

memory you want to spray.• Makes it one click process to

spray with working payload

Html Test Tool What does it do?

• Render various content in the browser using arbitrary content-type.

Why?• Different browsers treat

different mime-types differently.

• Browsers sniff based on content-type.

• Flirting with mime-type paper by Blake Frantz. Great paper.

• Sanity check mime-type behavior.

Web Bug Tool What does it do?

• Creates temporary web bug.• Record hits to a page.

Why?• Save time reusing web bug.

Online Strings What does it do?

• Extract out unicode and ascii strings from binary files.

Why?• Quick and accessible.• Thought it was cool :-P

Makes it one click operation to map

Again it’s available anywhere with web access.

Nothing surprising but fun tool

Lesson: Don’t share photos taken with phone! j/k

View State Decoder What does it do?

• Allows you to peek inside what’s inside ViewState data.

Why?• Demystifies content of

viewstate• Allows you to see a tree view

of all the property values in viewstate

• Any server side sensitive info inside?

• Any questionable property being stored?

Feel free to use it for authorized pen-testing.• http://zeleet.com/security.htm

Over 20+ tools (including bookmarklets)

If you have tools you’d like to see online please shoot me a mail.• hidejo@gmail.com

Thanks!

top related

Web Application Security with the Application Security...
Documents
Web Security: Web Application Security...
Documents
Web$Security:...
Documents
Web Application Security
Technology
Testing Web Application Security
Technology
Django Web Application Security
Technology
Web Application Security 101
Technology
Web application security & Testing
Technology
Tuenti: Web Application Security
Documents
Web Application Security Introduction
Technology
Web Application Security Strategy
Technology
Web Application Security · Web Application Security...
Documents
WEB APPLICATION SECURITY - configgroup.com · WEB...
Documents
Basic Web Application Security
Documents
Web Application Security testing
Software
Web Application Security · OWASP Open Web Application...
Documents