Regular updates about Websecurify free and premium website scanners, proxies, fuzzers and insight knowledge about SQL Injection, Cross-site Scripting and other vulnerabilities
Scanner Pause And Resume
If you remember earlier versions of Websecurify Suite if may also probably remember that you could pause and resume the Scanner at any point during the scan. Earlier this year we moved to a better, faster testing engine and as a result we stripped a way this feature, because it did not make any sense to pause something that finishes quick anyway. However, due to customer demand, we are bringing the pause and resume feature back. This time is only available from escapemode.
To pause a scan you simply need to press the ESC key to get into escapemode. The commands you are looking for are conveniently called pause and resume. You can invoke either one of them depending at what state is the scanner or any other automated tool.
Tests can also be started in a paused mode. Before start the test simply enter into escapemode and type pause. Start the test as usual. You will notice that it doesn't progress. Enter escapemode again and type resume to resume the test. You may want to combine these commands with the concurrency command to increase/decrease the speed of the scanning engine.
This is it - a short and sweet feature conveniently available from our almighty command console.
When we do penetration tests we often need to convert GET requests to POST requests using the urlencoding or multipart encoding schemes. This however, is not a trivial task in most instances. This is why wrote several escapemode commands to help us out.
To start converting between the various possible encoding mechanisms just press the ESC key to enter into escape mode. For the complete list of commands type ? or help. The commands that we will need for this exercise are called to_get, to_urlencoded, to_multipart. Each command can take any other type of request as input and convert it into the destination type it corresponds to.
For example, let's take this urlencoded POST request:
POST http://target/ HTTP/1.1Content-Type: application/x-www-form-urlencodeda=b
...and convert it to a multipart form data POST request. The command that we need is to_multipart. The result of the command is this:
POST http://target/ HTTP/1.1Content-Type: multipart/form-data; boundary=BULP3--BULP3Content-Disposition: form-data; name="a"b--BULP3--
As you can see this was super trivial. If we execute to_get command then we will convert all of this into a GET request preserving all keys and values. Any type of request can be used as input. It is very flexible and versatile.
Why Do You Need To Do That
The reason we sometimes need to convert the same request in different types is really to enable us to bypass security controls. For example, in PHP applications you can use $_GET or $_POST to retrieve a parameter from the url or from the body respectively. However, the developer may also choose to use $_REQUEST as a shortcut to both. Therefore if a check is performed on a $_GET parameter but the parameter is submitted in the body of a POST request we can bypass the control.
It gets even more interesting when you have to deal with WAFs (Web Application Firewalls). In some situations we can bypass completely the firewall by submitting the request as multipart form data. There are good reasons why but we will dive into this topic some other time.
So, the possibilities are endless. We belive that you will really enjoy this feature, especially if you do a lot of manual assessments.
Now you can take screenshots of any of the vulnerabilities picked up by the scanners, fuzzers and all other tools from the online Suite. You have no excuse for not taking some hack-selfies.
Using this feature is relatively straight-forward process. If the report picks up some kind of issue, you can simply click on the Screenshot button to get it snapped. Some vulnerabilities like SQL Injection, Cross-site Scripting and others are snapped automatically for you.
On another note, lately we have been doing various improvements in a number of areas. You should see general performance and stability improvements plus improved test coverage. There is no better time to take advantage of the 30% discount from the Classic Pack. This offer will end 9th September (next Tuesday) so you have to hurry up.
This is a quick update to let you know that Formfuzz is now part of the Classic Pack. All Classic Pack customers are now getting Formfuzz at no extra cost. This is our way of saying "Thank You" for you continuous support.
Now the Classic Pack is complete! Not only you get all the scanners and auxiliary tools, but also a complete set of fuzzers to test JSON, XML/SOAP and HTML Forms. This is an incredible value and a powerful combination of tools to fit any situation.
Websecurify for iOS is now for free - for real. Last week we experienced a small problem related to the price information not being fully propagated across all stores. The good news is that this is now behind us. Thousands of people have already downloaded the app.
Don't forget to let us know if you have any feedback for us.
Starting from today you get Websecurify for iOS for free. Now you can test your web apps while on the go from your very own mobile.
Keep in mind that although this version is fully functional, it doesn't include the latest testing engine. You can still test for SQL Injection, Cross-site Scripting, Local File Includes and 60 other types of vulnerabilities. If you are looking for an up-to-date testing tools try out the apps from our web security tool market or our security tools exclusive to Mac OS X.