Ever wondered how random a random generated session ID really is ? Because a lot of web applications rely on the session id for all the authentication and authorization , knowing the strength of the algorithm behind the session ID generation is essential. Michal Zalewski released a new tool precisely for this purpose : Stompy – the session stomper . Get it here : http://lcamtuf.coredump.cx/stompy.tgz

I had to analyze a web application written completely in Flash. The first step is to decompile the .swf file and extract as many resources as possible. There are 3 tools , each of them having pros and cons : Sothink SWF Decompiler – commercial tool, great interface Swfmill open source , very flexible. swf2html from the Macromedia Flash Search Engine SDK

SecurityFocus has a story about a new book on testing the security of new applications. Testing Fault Injection in Local Applications proves to be a great resource for describing the local resources and interprocess communication, enumerating the local resources an application depends on, and discussing methods of testing several of those types of resources. Read the full story here : http://www.securityfocus.com/infocus/1886

SecureMac.com has released version 2.3 of the Anti-Spyware program for Mac OS X, MacScan. Version 2.3 adds a blacklisted cookie scanner. This feature maintains a list of known tracking cookies, and when run, removes them from web browsers in which they are found. Version 2.3 also adds file cleaning support for additional browsers. Get it at http://macscan.securemac.com/