Websecurify

Here you will learn about the latest developments in the web application security space and more.

Changing Suite Concurrency Levels

One of the hidden gems, that you will find inside all Suite applications, is a feature know as Escapemode. In essence, Escapemode is like the command mode feature in games like Doom and Quake. When you press the ESC key, you will be presented with a drop-down console where you can type various commands. One of these commands allows you to reconfigure the default concurrency level in order to speed up testing.

Screenshot 01

Concurrency Levels In Essence

The concurrency level is the amount of simultaneous requests the tool will perform at any given time. The default value is set to 20 meaning that only 20 HTTP requests will be fetched simultaneously. This value is specifically chosen in order to avoid putting too much load on the targeted application. In some instances, for example when we perform fuzzing, we may want to increase that number in order to get fast turnaround. This is especially important when we have large fuzz-sets with a lot of combinations. In order to change the concurrency level you simply need to type the following command:

concurrency 100

... which will set the level to 100 concurrent requests. Retrieving the current concurrency level is equally easy. You only need to type concurrency without any parameters. This command can be even invoked while the test is in progress.

A Word Of Caution

Although it is trivial to increase the amount of concurrent requests a tool can do, you need to be aware of its limitations. Simply put, if an application cannot cope with the load, requests may get dropped or even go into timeout. Although, our testing engine can handle gracefully these circumstances, conditions may occur when a set of requests may not get served normally and as a result the outcome of the test may not be complete. This is why we recommend to repeat the test, sometimes even under different concurrency levels, in order to ensure that you get accurate results.

Post your comments.

Fuzzing With Custom Payloads

Over the past month we have drastically improved both Xmlfuzz and Jsonfuzz - two of our most popular web fuzzers. In particular, we have fine-tuned the default list of payloads in order to cover as much area as possible without impacting the performance. Now you can use your own payload lists as well.

Screenshot 01

In order to load a custom payload list, such as those found in FuzzDB, simply click on the Load Payloads button and select the file to be used for fuzzing. The fuzzing engine will handle the rest automatically. In addition to your payloads, both tools will perform some additional fuzzing in order to find technology-specific vulnerabilities such as XXE (XML External Entity Injection) and more.

As usual your feedback is much appreciated. Do not hesitate to reach out.

Post your comments.

Now With Videos

This is just a quick announcement just to let you know that we are now embedding video demonstrations as part of the Suite Market. This is done so that you can get a very good idea of what a tool is about before entering into a trial or a subscription.

Screenshot 01

Not all tools have videos yet but we are working hard to make it happen. For now you can check some of the video for Retest, Httpview, Xmlfuzz and Jsonfuzz.

Post your comments.

Heartbleed Arrives In The Suite

Our mission is not just to create web security tools but to help keep the Web as safe as possible. This is the reason why we have just launched an emergency response tool to detect the presence of Heartbleed across your entire public estate.

Screenshot 01

The tool is based on Recon testing engine. Recon uses several techniques to identify related targets by exploring public information such as DNS, search engines, virtual host databases and more. Once targets are discovered, a quick and harmless check is performed to identify if they are vulnerable to Heartbleed.

This tool is free of charge! We do use our proprietary technology for testing but we believe that at this time people need to get as much support as they can. There are other tools out there that will help you achieve more or less the same result but none of them identify targets automatically as far as we know. This tool will be a good addition to those other tools especially when your Web estate is big.

How Stable Is This Tool

This tool was put together in the quickest possible fashion so expect to see bugs. That being said, the Heartbleed detection is accurate. We will concentrate efforts to keep improving the tool in the upcoming days in order to provide as much support as we can.

If you find a bug, please report and we will fix it as soon as we can. Please don't abuse the service.

Post your comments.

Chrome Web Store Integration

Starting from today, you will be able to find all Websecurify Suite tools, packaged as hosted apps on Google Chrome Web Store. This is an exciting news as it takes us even closer to our mission to deliver cross-platform web application security toolkit, using a modern stack of technology with almost native user experience.

Screenshot 01

Websecurify Suite Is A Totally Different Value Proposition

You see, traditional web security tools are mostly static. Once installed you need to keep them updated. Usually updates do not happen as often as they should, meaning that you will be missing vital features that may be instrumental to the discovery of critical security bugs in the applications you test. Additionally, traditional security tools recreate from scratch what browsers are designed to do anyway, producing sometimes inconsistent behaviour, which leads to many false-possitives especially when it comes down to client-side bugs.

Websecurify Suite solves these problems in a very neat way. Our tools are in-fact modern web applications, delivered over the web but cached locally for offline use. Unlike SaaS (Software As A Service) web security tools, there are no servers involved when testing. All tests are performed from your own browser, leveraging the latest technology that is available. Unlike Desktop security tools, the Suite is always updated while you are online because of its web roots, and you get more consistent and realistic results because we use an actual browser to discover vulnerabilities.

Screenshot 02

We call this "the best of both worlds" and now our hosted chrome applications take this concept even further by abstracting away the web browser that supports everything. All tools are now accessible as normal desktop applications. They even come in their own frame/window producing that native look and fill you are used to but still powered by the powerful mix of technology we provide on the web. It is different and we believe it is better.

Getting The Hosted Apps

The easiest way to get the hosted apps for now is to follow the links outlined here: Scanner, Recon, Httpview, Formfuzz, Jsonfuzz, Xmlfuzz, Retest, Resend and others. As the Chrome Web Store integration matures you should be able to discover the apps naturally via the Web Store search facilities and the related section in the app details. Links will be also available on the Suite market.

We are looking forward to see how the apps develop. Let us know what do you think.

Post your comments.

Landing TeslaStorm

We are very proud to announce our latest application security solution called TeslaStorm. In recent months our team collaborated with the engineers from Tesla Motors to create the ultimate electric car targeted at information security enthusiasts and professional penetration testers.

Screenshot 01

TeslaStorm is all-in-one, web application security testing system available from the comfort of your car. Now you can complete your penetration tests before you even arrive at your clients' premises. Combined with the ease of use of our security toolkit, Tesla cars have now become the ultimate sidekick to every infosec professional. Once you step inside the car, TeslaStorm will make you feel like Michael Knight, only in the digital world.

Available Tools

TeslaStorm comes with the full suite of tools. You will be able to do scanning, fuzzing, replaying requests and observing responses when you are not driving and much more. There is even a direct link to our online Suite, where you will be able to get the latest updates and purchase more tools in order to make your car the ultimate cyber weapon that have ever existed.

Now you have no excuse why you should not try your luck against the 100s of Bug Bounty programs while you are stuck in a traffic jam. For more information and to subscribe for a trial, just get in touch.

Post your comments.