Websecurify

Regular updates about Websecurify free and premium website scanners, proxies, fuzzers and insight knowledge about SQL Injection, Cross-site Scripting and other vulnerabilities

Proxy.app Version 1.9 Is Out

The Websecurify team is very proud to announce that Proxy.app version 1.9 is officially out.

Screenshot 01

What Is New In 1.9

The first thing that you will notice that now you can download the ProxyHelper app, distributed outside of the Mac App Store. The ProxyHelper provides some essential features such as the ability to auto-configure system proxy settings and filter proxy connections based on process information. This alone makes Proxy.app very powerful and easy to use because you will be able to quickly get started and proxy only the processes you specifically select.

Second, we shipped Proxy.app with web views for both HTTP requests and responses. The web view not only can render HTTP responses the way your browser is but also it provides syntax highlighting and formatting options for some common formats such as XML and JSON. Additionally, the web view can be used to preview any audio/video resources.

Next, the "captures" sidebar contains several default items that will help you to get started capturing requests only from selected applications such as most common browsers. This feature is very useful especially when you use Proxy.app as the default system proxy. In this mode typically all HTTP/HTTPS requests will be captured which is often not the intention. With the default capture groups you can only proxy the applications you really want and ignore everything else leaving your system fully functional.

Last but not least this version contains several performance and stability improvements. In particular we spent a lot of time hunting down future performance issues getting it ready for the next version of OS X. The user interface is also streamlined in several areas.

Your Feedback

As usual, let us know what do you think and if you would like to see certain features in the next version. We are trying to accommodate as many of the requests as possible and the best way to approach us to get in touch vs. sending a request in the form of a review on the Mac App Store. This way we can at least respond to your queries.

Last but not least we will appreciate if you can rate Proxy.app on the Mac App Store.

Post Your Comments

We Will Ship With JSON Support

This is a quick post just to let you know that the next version of Proxy.app, which we are planning to release next week with the blessing from Apple, will also contain features that will make working with JSON a breeze.

Screenshot 01

The JSON support comes in two ways. First we can now render JSON in a formatted view that you can use to explore tree structures with collapsible/expandable nodes. Second, any unicode text that is enclosed will be rendered properly. As you can see from the screenshot above, the last node is rendered "тихо" instead of "\u0442\u0438\u0445\u043e", which in our opinion is a much better representation. Of course you can always go back and preview the original text.

The next version is just going to be awesome and feature pack. Not only we improved the preferences, added a web view for rendering the responses in an actual browser, properly format XML and JSON but also we are shipping with our helper tool which will enable you to auto configure proxy settings and proxy only selected processes.

Post Your Comments

Blast From The Past - Websecurify Suite

Some of you may remember that Websecurify Suite started as a simple collection of tools - what is now known as the Classic Pack. The following screenshot shows what the UI used to look like before we implemented the Web Application Security Tool Market.

Screenshot 01

There are still some people within the team that prefer the earlier version although you get a lot more flexibility now.

Post Your Comments

Pushing The Boundaries

Today we received a confirmation from Apple that version 1.8 of Proxy.app passed all checks and is now available on the App Store. This version is fundamental to what we are planning to do next, which is to introduce some cutting-edge features that will make Proxy.app one of the best proxy tools on Mac OS X. Needless to say we are very happy.

Screenshot 01

Besides the normal UI changes, bug fixes and performance improvements, we shipped the tool with the temporary-exception.mach-lookup.global-name entitlement. This special entitlement essentially allows Proxy.app to communicate with our privileged helper tool which we will distribute outside of the App Store. The helper tool provides two essential capabilities such as the ability to apply global proxy settings and the ability to query process information.

The first capability is going to make your life so much easier because it will remove the need for you to apply the proxy settings manually. Your system will be readily configured as soon as you launch the proxy.

The second feature is going to introduce a nifty feature that will help you query all collected HTTP transactions by process name and also allow you to filter traffic with capture groups. This is really going to change things for a lot of people.

What Are Captures

Captures or Capture Groups, as we would like to call them, is a mechanism inside the proxy engine which provides capabilities to decide on the spot what requests needs to be proxied and observed and what requests should be proxied but left alone. This difference may look subtle but it is essential.

Let's consider the situation where we have installed Proxy.app as the System Proxy and now we are collecting data from Google Chrome. Unfortunately because we have installed a system proxy not only Google Chrome will be proxied but also all other applications such as iCal and Mail.app, etc. Typically we do not want to do that not only because our proxy session will be clobbered with non-essential traffic but also for convenience. Not all applications will be readily configured to accept the SSL certificates Proxy.app generates in order to observe SSL traffic and as a result you will get various warnings and some applications may even stop working altogether.

With the help of captures we can decide what traffic we would like to capture and what should be proxied but left alone. The result of this is that we have a much more coherent proxy that works with your system, not against it.

Process Information

Captures typically work with the host and the port, which is the only information we can obtain before the proxy enters in a more aggressive mode. Typically this information is enough although not perfect. With the ability to query process information, provided by our helper tool, now we can capture based on process name too. For example, we can capture all traffic from browsers but ignore traffic from the rest of the system. This is indeed very powerful.

The upcoming version of Proxy.app not only will provide those capabilities but also come with a default list of captures that you will be able to turn on and off when you desire. The first default capture group, that we have planned for the upcoming release will allow you to observe only traffic from particular browsers or all browsers all together. We are also thinking how to use this feature to provide easier means for capturing traffic from iOS simulator and other tools that we need to proxy frequently.

Enter The Sandbox

While it is somewhat easy to find out what process connects to what on your system, this requires elevated privileges. If Proxy.app was distributed outside of the App Store we would have bundled the features already. However, due to the fact our main distribution channel is the App Store for the time being, we had to come up with a work around.

The workaround comes in the shape of an external service provided by our helper tool. Proxy.app will work as normal without the helper but if you install it you will get all great features.

So, as you can see the upcoming release is very exciting.

Post Your Comments

Proxy.app Now With WebView And A Debugger

This is just a quick note to let you know about a feature that recently landed in Proxy.app. The short story is that in the upcoming version you will not only be able to preview the response in an actual browser (unlike the poor html rendering imitations you get with Java-based proxies) but also you will be able to fully introspect the response in the built-in Safari web debugger.

Screenshot 01

This opens quite a few interesting use-cases. For example, in the past you would typically go through the responses gathered by the proxy without paying much attention on how individual pages are constructed and what is the relationship between the different requests. Once the response is recorded this information is lost. However, with the introduction of the WebView and the debugger we can recover the actual application state at the time of the recording. We can take this concept even further by swapping access to resources which were recorded by the proxy before or after the request was made.

It is early days to say how this will shape in the future, however it is fair to say that it is certainly pushing the boundaries of what is possible today. We are currently awaiting approval from Apple. Once the version is through we will make this feature available to everyone.

Post Your Comments

Dir Bruteforcer In Go That Doesn't Work

This afternoon we had an interesting discusion on Twitter if we should publish our native Mac OS X directory brute forcing tool. The general consensus is that that sort of thing has already been done, although not natively on OS X. So, because of practical implications, we thought that before we release anything that we will require some support let's come up with the simplest possible bruteforcer that is as efficient as it can get natively.

Screenshot 01

Naturally we choose go for the job. We knocked off the tool in 5 minutes. The following snippet is the actual bruteforcer. The reason it doesn't work is because in simple cases it will perform well but on much larger and complex tasks it will fail miserably with a lot of stack exceptions. To use the tool you need to replace the target with your own and also pipe the word dictionary to stdin.

package main

// ---

import (
    "os"
    "log"
    "fmt"
    "sync"
    "bufio"
    "net/http"
)

// ---

func index(wg *sync.WaitGroup, prefix string, suffix string, count int) {
    defer wg.Done()

    // ---

    url := fmt.Sprintf("%s/%s/", prefix, suffix)

    // ---

    resp, err := http.Get(url)

    // ---

    if err != nil {
        if (count > 0) {
            wg.Add(1)

            // ---

            go index(wg, prefix, suffix, count - 1)
        }

        // ---

        return
    }

    // ---

    fmt.Printf("%s - %s\n", url, resp.Status)
}

// ---

func main() {
    target := "http://www.google.com"
    count := 3

    // ---

    var wg sync.WaitGroup

    // ---

    scanner := bufio.NewScanner(os.Stdin)

    // ---

    for scanner.Scan() {
        wg.Add(1)

        // ---

        go index(&wg, target, scanner.Text(), count)
    }

    // ---

    if err := scanner.Err(); err != nil {
        log.Fatal(err)
    }

    // ---

    wg.Wait()
}

// ---

This can be fixed in several ways but we've decided to leave it to the community to pick it up and do whatever they wish. Projects like DirBuster are no longer active so there is a good opportunity for someone else to enter the security tool development game.

Let us know what do you think.

Post Your Comments