Regular updates about Websecurify free and premium website scanners, proxies, fuzzers and insight knowledge about SQL Injection, Cross-site Scripting and other vulnerabilities

Shellshock Enhancements

The Websecurify Shellshock Scanner was one of the very first tools to detect CVE-2014-6271 and CVE-2014-7169 (and many others). We published this automated scanner, free of charge because we had a moral responsibility towards everyone at a moment of crisis. Today, we want to let you know that not only the Shellshock Scanner is alive and well but also that it has been enhanced to discover the bash bug even deeper into the target application structure.

shellshock screenshot

You may be wondering what is so different about our scanner. Why is it any better than the tools provided by other vendors? We have prepared a small FAQ for you that answers these types of questions.

How Does It Work?

The Websecurify Shellshock Scanner employs 3 types of generic shellshock tests. These tests are executed at every step during the application discovery and enumeration stages using our spidering and recon technologies. In addition to that we check for a large list of well-known CGI files and folders. All of this boils down to a very thorough detection engine capable of discovering the bug very deep into the application structure.

Most, if not all, shellshock scanners out there will only check for common CGI files and folders completely missing out opportunities elsewhere. We cannot allow to not be able to detect a critical vulnerability, such as Shellshock, and this is why we take so many steps in addition to the basic checks.

What Can I Test?

All public Shellshock scanners, except the Websecurify Shellshock Scanner, will not be able to discover Shellshock on none-public networks. In other words, those scanners only are able to test for stuff that are available publicly.

The Websecurify Shellshock Scanner employs our client-side security testing technology directly from your own web browser. This means that you can effectively use the scanner to discover vulnerabilities in anything that your browser can reach, including local virtual machines, docker containers, local network services, services in different firewall zones, stuff behind bastion hosts, VPN and more.

This is only possible because our client-side technology. You can read more about it in our online series Websecurify Vs. The World.

Is Shellshock Dead Already?

Although there is a huge effort to patch all vulnerable bash instances it is important to note that this bug is so wide-spread that you can never be 100% sure. Using the Websecurify Shellshock Scanner is the only way to ensure that you are not vulnerable in a fully automated, black-box fashion. There is simply no other tool out here that will provide the same level of coverage for free and with the ease of use as our scanning and testing technology.

Encoder Enhancements

The Encoder is an easy to use encoder/decoder tool which allows you chain multiple transformations in a single go. We are excited to announce that now Encoder supports Data URI transformation step among many other minor improvements.

encoder screenshot

To start using Encoder simply navigate to the market and click on the "Open" button. In order to share your transformation with colleagues and clients simply use the sharing options. It is really that easy.

The Survey

We want you to be part of our survey and have a chance to be among the lucky 100 to have free, unlimited access to all our tools for 180 days. All you have to do is to fill out the the form and leave your email address. Btw, even if you don't want to give your email address you can still fill the form to boost your good karma.

the survey logo

If you have been using Websecurify Suite, I want to ask you if you can fill out the survey. It is a bit of fun but we also take this very seriously. We will appreciate if you can be as honest as possible and we don't mind if you are even brutally honest. The winners will be contacted on 17th November.

No characters were harmed in the making of this survey.

Latest Updates From Our HQ

We've been working hard to deliver the recent round of updates. In this blog post I will summarize all of them as much as I can starting with the work that we recently did on our web application security testing engine, a.k.a Sparta.


As you may be aware, Sparta is our in-house developed web application security testing engine. Sparta is the core of our web security testing technology and it is part of almost every product. Because it is such a vital piece we invested a lot of time to make it the best it can be during the recent round of updates. Here are some of the main changes:

  • Shellshock testing suite.
  • Asynchronous testing improvements.
  • Fuzz-testing performance improvements.
  • Improved spider capabilities, depth limits, FORM generation limits and more.
  • Request mutation capabilities, GET to POST-urlencoded, POST-multipart and more.

All these improvements are hidden under the UI so you will probably never see them but you may have already experienced the significant performance enhancements that we delivered in the Suite. All of these are due to the core-engine enhancements.

Online Suite

The online Suite is getting better and better with every single release. We are very agile, sometimes delivering 1-2 updates per update. Here is a summary of some of the main changes that we recently delivered in the Suite:

New Apps

  • WPScanner - WordPress Security Scanner
  • Encoder - online encoder decoder supporting Base64, MD5, SHA1, Hex and more.
  • Shellshock - #shellshock scanner capable of detecting all Shellshock variants.

New Features

  • Editor themes.
  • Mac App listings.
  • Escapemode configuration.
  • Improved application architecture - i.e. better tools.
  • Converting from GET to POST (urlencoded, multipart) and vice versa.
  • Scanner, Foundation, WPScanner testing scope extended limit options.
  • FORMFuzz, JSONFuzz and XMLFuzz now have additional options to allow you to configure every aspect of the fuzz.

WebReaver For Mac

We are very happy to announce that WebReaver was updated to version 1.1. This update should come along at some point next week. The main change is the actual testing engine. It should fix some issue in the earlier version. I just want to open a bracket and mention that we are fully committed to make this tool the best on Mac OS X. This means that we will be rapidly delivering WebReaver updates in the upcoming months. Meanwhile, if you experience any problems, just get in touch.

The upcoming months will be very exciting to us. There are many features currently in the pipeline so stay tuned.

Haxor Lands In Hollywood

We are very excited to announce the official Mac App Store release of Haxor. This app puts you in the shoes of the hacker who wrote the infamous Blaster worm for your thrill and amusement. All you have to do is to type your way into 1337n3$$.

It is not well know fact but Haxor has been used by Hollywood to make some of the hacking scenes. We know they are not real but sure they look more exciting than a guy sifting through the console output for hours.

The video above is not produced by Hollywood but it comes very close. This video is made by Santi Araujo (@santiaraujo) from Con├ęctica. Thanks Santi! It was his own initiative and the end result is awesome.

Obviously Haxor was made just for fun. To keep it real, use our web application security testing tools.

Shellshock Scanner Video

In the following video you can see how easy it is to detect the presence of Shellshock (a.k.a bash bug, CVE-2014-6271, CVE-2014-7169) with our free online scanner, conveniently called Shellshock. Unlike other similar tools, the Websecurify Shellshock Scanner is client-side only, meaning that you can even use it to discover bugs in localhost and apps behind the corporate firewall. It is the best tool for the job.

The Shellshock scanner is 100% free and it is part of our continuous effort to make the Web a safer place. This tools was created in the same spirit as our Heartbleed Scanner we published several months back.

Shellshock is the best tool because it is easily accessible (just type a url) and there are no limitations to what you can test. You want to test an app that you are currently running in a VM? Sure! You want to test for a range of apps inside the corporate network. No problemo! The Shellshock scanner utilizes several detection strategies and as far as we can tell it has the best coverage from all the tools we have seen.

Do not hesitate to get in touch if you have any feedback for us or if you are lost. We are always happy to help.