Htcap – A Web Application Scanner Able To Crawl Single Page Application (SPA) In A Recursive Manner By Intercepting Ajax Calls And DOM Changes

Htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes. Htcap is not just another vulnerability scanner since it’s focused on the crawling process and it’s aimed to detect and intercept ajax/fetch calls, websockets, jsonp ecc. It uses its own fuzzers plus a set of external tools to discover vulnerabilities and it’s designed to be a tool for both manual and automated penetration test of modern web applications.It also features a small but powerful framework to quickly develop custom fuzzers with less than 60 lines of python. The fuzzers can work with GET/POST data, XML and JSON payloads and switch between POST and GET. Of course, fuzzers run in parallel in a multi-threaded environment.This is the very first release that uses headless chrome instead of phantomjs. Htcap’s Javascript crawling engine has been rewritten to take advantage of the new async/await features of ecmascript and has been converted to a nodjes module build on top of Puppetteer.More infos at htcap.org.SETUPRequirementsPython 2.7Nodejs and npmSqlmap (for sqlmap scanner module)Arachni (for arachni scanner module)Download and Run$ git clone https://github.com/fcavallarin/htcap.git htcap$ htcap/htcap.pyVIDEODOCUMENTATIONDocumentation, examples and demos can be found at the official website https://htcap.org.Download Htcap

Link: http://feedproxy.google.com/~r/PentestTools/~3/aJgXuqnKFus/htcap-web-application-scanner-able-to.html

Commix v2.7 – Automated All-in-One OS Command Injection And Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.RequirementsPython version 2.6.x or 2.7.x is required for running this program.InstallationDownload commix by cloning the Git repository:git clone https://github.com/commixproject/commix.git commixCommix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!ArchStrikeBlackArch LinuxBackBoxKali LinuxParrot Security OSWeakerthan LinuxCommix also comes as a plugin, on the following penetration testing frameworks:TrustedSec’s Penetration Testers Framework (PTF)OWASP Offensive Web Testing Framework (OWTF)CTF-ToolsPentestBoxPenBoxKatoolinAptive’s Penetration Testing toolsHomebrew Tap – Pen Test Tools Supported PlatformsLinuxMac OS XWindows (experimental)UsageTo get a list of all options and switches use:python commix.py -hQ: Where can I check all the available options and switches?A: Check the ‘usage’ wiki page.Usage ExamplesQ: Can I get some basic ideas on how to use commix?A: Just go and check the ‘usage examples’ wiki page, where there are several test cases and attack scenarios.Upload ShellsQ: How easily can I upload web-shells on a target host via commix?A: Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the ‘upload shells’ wiki page.Modules DevelopmentQ: Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs?A: You can easily develop and import our own modules. For more, check the ‘module development’ wiki page.Command Injection TestbedsQ: How can I test or evaluate the exploitation abilities of commix?A: Check the ‘command injection testbeds’ wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.Exploitation DemosQ: Is there a place where I can check for demos of commix?A: If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the ‘exploitation demos’ wiki page.Bugs and EnhancementsQ: I found a bug / I have to suggest a new feature! What can I do?A: For bug reports or enhancements, please open an issue here.Presentations and White PapersQ: Is there a place where I can find presentations and/or white papers regarding commix?A: For presentations and/or white papers published in conferences, check the ‘presentations’ wiki page.Download Commix

Link: http://feedproxy.google.com/~r/PentestTools/~3/mjOk7rQhp2Y/commix-v27-automated-all-in-one-os.html

IoT Report: Major Flaws in Guardzilla Cameras Allow Remote Hijack of the Security Device

Vulnerabilities in indoor security camera allows remote compromise and device takeover The commodification of IoT devices has paved the way to the smart home. Interconnected appliances, intelligent assistants and smart home surveillance are just some applications of the Internet of Things and customers love it. The large number of intelligent, remotely controllable devices has opened […]

Link: https://labs.bitdefender.com/2018/12/iot-report-major-flaws-in-guardzilla-cameras-allow-remote-hijack-of-the-security-device/