Showing posts with label proxystrike. Show all posts
Showing posts with label proxystrike. Show all posts

Tuesday, April 28, 2009

ProxyStrike Plugins update

Well this is a short post, just to let you know that the plugins framework of ProxyStrike is updated, making easier to develop your own plugins. Here is a diagram of the internal structure:


Now each plugin is a file, and here is an example of a plugin for gathering all the email addresses:

class email_detect(AttackPlugin):
       def __init__(self):
               AttackPlugin.__init__(self,name="email detect",variableSet=False,iface=True,type="tree",fields=["Url","Email"])

               self.emailre=re.compile("[a-z0-9_.-]+@[a-z0-9_.-]+",re.I)

       def process(self,req):
               html=req.response.getContent()
               a=self.emailre.findall(html)
               results=[]
               for i in a:
                       results.append([i])
               if a: 
                       self.putRESULTS([req.completeUrl,results])


You can find more examples inside the plugin folder, just get your copy via subversion:

svn checkout http://proxystrike.googlecode.com/svn/trunk/ proxystrike-read-only

More information in the wiki, and you can follow updates by deepbit in his new blog

Enjoy

-CMM
By - No comments:
Labels: , ,

Tuesday, March 17, 2009

ProxyStrike v2.0 released!

I'm pleased to announce a new version of ProxyStrike, an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that heavily depends on Javascript, not many web scanners did it good at this stage, so we came with this proxy.

Right now it has available Sql injection, XSS and Server side includes.

Highlights from this release:
• Plugin engine (Create your own plugins!)
• Automatic crawl process

• Request interceptor
• Request diffing
• Request repeater
• Save/restore session
• Http request/response history
• Request parameter stats
• Request parameter values stats
• Request url parameter signing and header field signing
• Use of an alternate proxy (tor for example ;D )
• Attack logs
• Export results to HTML or XML
* Sql attacks (plugin)
• Server Side Includes (plugin)
• Xss attacks (plugin)

Check it at: http://www.edge-security.com/proxystrike.php

Here is a video of the tool:



Great Job from Carlos del Ojo (deepbit) for this new release


-CMM

By - No comments:
Labels: , , ,
Subscribe to: Posts (Atom)

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...

  • Wfuzz 2.1 released !
    I'm pleased to announce  a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
  • Scan for shellshock with wfuzz
    In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
  • Wfuzz 2.2.0 released
    I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...