Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.

Key Features:-

1. JavaScript - Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers.

2. Multiple Environments - The core technology can run in normal browsers, xulrunner, xpcshell (command line), inside Java or as part of a custom V8 (Chrome’s JavaScript Engine) build. The core is written with extensibility in mind so that more environments can be supported without changing even a single line of code.

3. Multi-platform - The tool is available and successfully runs on Windows, Mac OS, Linux and other operating systems.

4. Automatic Updates – Every single piece of the tool is subjected to automatic updates. This means that newer and more advanced versions of the tool can be shipped to your front door without you lifting your finger. This however is completely optional. The automatic update can be turned off if needed.

5. Extensions – Because the tool comes wrapped in xulrunner by default (keep in mind that we can support any other JavaScript environment) we benefit from all cool features that Firefox has, such as extensions. Extensions are easy to write and maintain and can customize every single aspect of the tool and there are already tones of resources and documentation, including books and what not, out there to teach you exactly how to do that. We will be providing documentation as well.

Download Websecurify 0.3

For Mac  |  Windows  |  Linux  |  ZIP File

To know more visit here

This is excerpted from GNU Citizen.  For the blog in it’s entirety, go to VULNERABILITES in SKYPE

Scrivo su hancproject:

Come segnalato dal sempre ottimo pdp, é nata la “House of Hackers“. Si tratta di una community creata da Hacker per Hacker, e supporta lacultura Hacker, il cosidetto “Hacker Mindset”, le ideologie e visioni politiche di hacker, e molto altro. Inoltre si pone come mercato libero per esperti di sicurezza, dove cercare e trovare lavoro. Chiaramente siete tutti invitati a partecipare!

Chiaramente l’invito lo passo a tutti i miei cari lettori.

Another interesting posting by pdp from GnuCitizen: He found an XSS and XSRF flaw in Pownce, however this is not the interesting thing about the article.

What makes it worth reading is pdp’s technique to inject the javascript. Only a field of 16 characters at max is vulnerable as it does not escape the userinput. Any useful attack requires way more than just 16 chars.

What makes the technique work is that below the vulnerable field, there’s another field that takes user input but does in fact correctly escape it. In between the two fields there’s some HTML garbage. By just opening a script tag and a multiline JS comment, all that needs to be done in the second field is closing the comment and writing javascript code that works without using angle brackets or quotes.

As I’m writing this I realize that I’m probably not very good at explaining, so just have a look at the code and you’ll see what I mean:

[html junk]

*/<script>/*

[html junk]

*/document.write(atob(/PHN[...]EtLQ==/.toString().substr(1,56)));/*

[html junk]

By using the eval() function, you can actually execute arbitrarily long base64 encoded javascript.

Picture of small house by Dom Dada