Top
Newest White Papers
White Papers
Books
Presentations
Application Security
Infrastructure Security
Mobile Security
Blog
Forums
Careers
Management
Contact

This collection of free application security tools released by iSEC Partners includes web security tools, web service scanning tools, file fuzzers, Windows IPC fuzzers, and SSL/TLS testing tools.

Application Security Tools

Thursday
Oct272011

iSEC Partners Releases SSLyze

Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have grabbed news headlines, bringing attention to weak configurations, and the need to avoid them. Additionally, server misconfigurations have always greatly increased the overhead caused by SSL, slowing the transition to improved communications security.

To help improve system configurations, iSEC is releasing the free software “SSLyze” tool. We have found this tool helpful for analyzing the configuration of SSL servers and for identifying misconfigurations such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.

SSLyze is a stand-alone python application that looks for classic SSL misconfigurations, while providing the advanced user with the opportunity to customize the application via a simple plugin interface. Right now it supports the following features:

  • Insecure renegotiation testing
  • Scanning for weak strength ciphers
  • Checking for SSLv2, SSLv3 and TLSv1 versions
  • Server certificate information dump and basic validation
  • Session resumption capabilities and actual resumption rate measurement
  • Support for client certificate authentication
  • Simultaneous scanning of multiple servers, versions and ciphers

For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack (http://www.thc.org/thc-ssl-dos/) by checking the server’s support for client-initiated renegotiations. For more information on testing for client-initiated renegotiations, see: http://code.google.com/p/sslyze/wiki/ThcSslDOS

The project is hosted on Google Code at the following URL: http://code.google.com/p/sslyze/

Thanks and we hope our tool helps you quickly discover SSL issues in your environment!

  • Alban Diquet
  • Aaron Grattafiori

Note: for questions or comments about the tool, please email sslyze@isecpartners.com.

Monday
Jul262010

WebRATS

WebRATS is an homage to RATS, a tool to scan code and flag the use of dangerous APIs, identified hazards, and provide secure coding alternatives (RATS was originally created by Secure Software). WebRATS is intended for today’s web-enabled, distributed development methodologies. It was designed to integrate transparently into ordinary code review using modern web browsers. By simply adding a few lines of script to the relevant code review web application, security sensitive API usage will be highlighted in a style similar to inline spell checking, with risks and suggestions available in mouseover tooltips.

Organizations that already use a web-based code review tool can add WebRATS functionality to easily provide ambient security information to developers, exactly in the moment and context in which it can be most useful: When they are already in the mindset and process of reviewing code and making bug fixes.

WebRATS.zip

Monday
Jul262010

Gizmo

Gizmo is a graphical web proxy written in Java. It is designed to be speedy, with the user interfaced centered around keyboard use. It should do what you want, and then get out of your way.

Pre-Requisites: Java 1.6

Download Gizmo from Google Code.

Monday
Jul262010

HTTP Profiler

HTTP Profiler is a simple program that summarizes packet traces of HTTP traffic, to highlight performance problems caused by excessive network traffic.

Many web sites and applications cost more than they should, due to unoptimized network behavior.
The original goal of httprof was to help people understand that, of all the costs their application incurs, the cost of TLS or SSL (HTTPS) is relatively low. However, it is useful for network profiling generally.

Prerequisites:

  • Python, either Wireshark or tcpdump
  • some Python modules (Cheetah, pywin32).

Operating systems:

  • Windows
  • Unix/Linux
  • Mac OS X

Download HTTP Profiler from Google Code.

Monday
Jul262010

Fuzzbox

Fuzzbox is a multi-codec media fuzzer.

Prerequisites:

  • Python
  • py-vorbis 1.4
  • mutagen 1.11

fuzzbox.tar.gz

Page 1 2 3 4 ... 4 Next 5 Entries »
General Information info@isecpartners.com
San Francisco
123 Mission Street
Suite 1020
San Francisco, CA 94105
Seattle
720 Third Avenue
Suite 2101
Seattle, WA 98104
New York City
225 Varick Street
Suite 301
New York, NY 10014