Websecurify

Regular updates about Websecurify free and premium website scanners, proxies, fuzzers and insight knowledge about SQL Injection, Cross-site Scripting and other vulnerabilities

Hacking Like a Pro with Websecurify Arena

We have just pushed another awesome tool to our online Suite and it is called Arena. This tool allows you to quickly try various things in JavaScript and do powerful text transformation such as encoding, encryption, etc. Let's start by launching the tool by visiting https://suite.websecurify.com/arena.

The web interface is self-explanatory just like all other tools. The left-hand side is the javascript interactive shell, while the right-hand side is a free-text area for anything else. The whole tool evolves around these two elements.

To show how all of this works, let's perform simple base64 encoding of some arbitrary text. We will paste the text in the right-hand side and we will use the interactive console to perform the text transformation. The following screenshot shows exactly this.

In order to perform the text transformation we use the following command: editor = btoa(editor). This command instructs the interactive shell to assign to the editor the base64 encoded string of the text that was in the editor before the conversion. The result of this is shown on the screenshot bellow.

This was relatively straight-forward but we can do so much more. How about doing url encoding of the following expression: last + ':whatever'? The special variable "last" points to the result of the previous expression in the console. In order to url-encode the whole thing we simply type the following expression: editor = encodeURIComponent(last + ':whatever').

The right-hand side editor also supports syntax-highlighting. It supports everything from standard programming and scripting languages to JSON, HTML, CSS, XML, even HTTP Requests and Responses. This is especially useful with structured data because we want all important information to standout.

To enable certain syntax-highlighting mode we need to type: mode = '<mode name here>'. The following two screenshots show JSON data displayed with and without syntax-highlighting enabled.

...after: mode = 'javascript'...

I hope you enjoyed this gentle introduction to our new addition to the online Suite. It is a tool which can go long way in custom and very specialized penetration tests. We will be posting more interesting use-cases soon so get the blog feeds or just follow us on twitter.

pdp

Petko D. Petkov (pdp), is founder of Websecurify and frontman of the GNUCITIZEN Information Security Think Tank. pdp is a recognized information security researcher, security tools developer, penetration tester, frequent speaker at industry events, and published author who has contributed to several best-selling books in the field of information security.

Comments Powered ByDisqus