Today I discovered an impressive collection of security tools developed and offered for free by iSEC Partners and because I really appreciate any open source effort, I thought at least I could present them.

There are four categories :

• Application Tools
• Infrastructure Tools
• Storage Security Tools
• VoIP (Voice Over IP) Tools

Since the topic of this blog is more application security, I will detail the Application Tools:

• Forensic Fuzzing Tools
  This is a collection of scripts that can be used to generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files. These can be used to test the robustness of forensics tools and examination systems.
• SAMLPummel
  SAML Pummel is a BeanShell plug-in for WebScarab. It automates eight different injection attacks to assist in auditing the implementation of SAML 2.0 single sign-on systems.
• Jailbreak
  Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.
• ProxMon
  ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.
• CyberVillainsCA
  The CyberVillainsCA is a small Java library for on-the-fly generation, duplication and substitution of X.509 certificates. It is intended for use in building or extending security testing tools, for example, WebScarab (example included).
• File Fuzzers
  These tools are useful for testing any program which processes binary file inputs such as archivers and image file viewers.
• Windows IPC Fuzzing Tools
  This is a collection of tools used to attack applications that use Windows Interprocess Communication mechanisms. This package includes tools to intercept and fuzz named pipes, as well as a shared memory section fuzzer.
• WSMap
  WSMap is a Python-based tool that helps penetration testers find web service endpoints and discovery files.
  • Parses WebScarab logs to find testing targets
  • Tests URLs and implies URLs found in log
  • Tests for WSDL and DISCO web service discovery formats

  As said, these tools are released for free and I’m sure that iSEC Partners will more than happy for any feedback you could provide.

BONUS : I’m very eager to test the "soon to be released" SecurityQA Toolbar, a great testing product for web application security presented as a browser toolbar !

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!