Tor Browser 4.0 - Everything you need to safely browse the Internet

 The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

• All Platforms
  • Update Firefox to 31.2.0esr
  • Update Torbutton to 1.7.0.1
    • Bug 13378: Prevent addon reordering in toolbars on first-run.
    • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
    • Bug 13138: ESR31-about:tor shows "Tor is not working"
    • Bug 12947: Adapt session storage blocker to ESR 31.
    • Bug 10716: Take care of drag/drop events in ESR 31.
    • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
  • Update Tor Launcher to 0.2.7.0.1
    • Translation updates only
  • Udate fteproxy to 0.2.19
  • Update NoScript to 2.6.9.1
  • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
  • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
  • Bug 13356: Meek and other symlinks missing after complete update.
  • Bug 13025: Spoof screen orientation to landscape-primary.
  • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
  • Bug 13318: Minimize number of buttons on the browser toolbar.
  • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
  • Bug 13023: Disable the gamepad API.
  • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
  • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
  • Bug 13186: Disable DOM Performance timers
  • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
  • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

• All Platforms
  • Update Firefox to 31.2.0esr
  • Udate fteproxy to 0.2.19
  • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
  • Update NoScript to 2.6.9.1
  • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
    • Bug 13378: Prevent addon reordering in toolbars on first-run.
    • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
    • Bug 13138: ESR31-about:tor shows "Tor is not working"
    • Bug 12947: Adapt session storage blocker to ESR 31.
    • Bug 10716: Take care of drag/drop events in ESR 31.
    • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
  • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
    • Bug 11405: Remove firewall prompt from wizard.
    • Bug 12895: Mention @riseup.net as a valid bridge request email address
    • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
    • Bug 11199: Improve error messages if Tor exits unexpectedly
    • Bug 12451: Add option to hide TBB's logo
    • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
    • Bug 11471: Ensure text fits the initial configuration dialog
    • Bug 9516: Send Tor Launcher log messages to Browser Console
  • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
  • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
  • Bug 13356: Meek and other symlinks missing after complete update.
  • Bug 13025: Spoof screen orientation to landscape-primary.
  • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
  • Bug 13318: Minimize number of buttons on the browser toolbar.
  • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
  • Bug 13023: Disable the gamepad API.
  • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
  • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
  • Bug 13186: Disable DOM Performance timers
  • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
  • Bug 4234: Automatic Update support (off by default)
  • Bug 11641: Reorganize bundle directory structure to mimic Firefox
  • Bug 10819: Create a preference to enable/disable third party isolation
  • Bug 13416: Defend against new SSLv3 attack (poodle).
• Windows:
  • Bug 10065: Enable DEP, ASLR, and SSP hardening options
• Linux:
  • Bug 13031: Add full RELRO hardening protection.
  • Bug 10178: Make it easier to set an alternate Tor control port and password
  • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
  • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Download Tor Browser 4.0

Read More

Sandcat Browser 5 - A Penetration-Oriented Browser

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers.

Here is what changed in version 5.0 beta 1:

• Faster startup and responsiveness.
• Huge refactoring and cleanup of the current code.
• The Chromium library was upgraded to the latest release (incredibly fast!).
• Improved compatibility with 64-bit Windows editions.
• Improved source code editor.
• Available as free, open source/community edition (under a BSD-3-Clause license).
• Built using components and libraries from the Catarinka toolkit (also made open source at the same time with this release and under the same license).
• Includes the Selenite Lua library - a multi-purpose set of Lua extensions developed to make the development of Lua extensions easier in Sandcat. The code for Selenite is now open source, under the MIT license. The library documentation is available here.
• Fixed: output of the SHA1 and the full URL encoders that come with the pen-tester pack. 

Download Sandcat Browser 5

Read More

OWASP Mantra Security Toolkit - Browser Based Security Framework

OWASP Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

Mantra is a browser especially designed for web application security testing. By having such a product, more people will come to know the easiness and flexibility of being able to follow basic testing procedures within the browser. Mantra believes that having such a portable, easy to use and yet powerful platform can be helpful for the industry.

Mantra has many built in tools to modify headers, manipulate input strings, replay GET/POST requests, edit cookies, quickly switch between multiple proxies, control forced redirects etc. This makes it a good software for performing basic security checks and sometimes, exploitation. Thus, Mantra can be used to solve basic levels of various web.

Mantra Provides

• A web application security testing framework built on top of a browser.
• Supports Windows, Linux(both 32 and 64 bit) and Macintosh.
• Can work with other software like ZAP using built in proxy management function which makes it much more convenient.
• Available in 9 languages: Arabic, Chinese – Simplified, Chinese – Traditional, English, French, Portuguese, Russian, Spanish and Turkish
• Comes installed with major security distributions including BackTrack and Matriux

Download OWASP Mantra

Read More

[ImageCacheViewer] View images in the cache of your Web browser

ImageCacheViewer is a simple tool that scans the cache of your Web browser (Internet Explorer, Firefox, or Chrome), and lists the images displayed in the Web sites that you recently visited. 

For every cached image file, the following information is displayed: URL of the image, Web browser that was used to visit the page, image type, date/time of the image, browsing time, and file size. 

When selecting a cache item in the upper pane of ImageCacheViewer, the image is displayed in the lower pane, and you can copy the image to the clipboard by pressing Ctrl+M.

System Requirements And Limitations

• This utility works in any version of Windows, starting from Windows XP and up to Windows 8. Both 32-bit and 64-bit systems are supported.
• The following Web browsers are supported: Internet Explorer, Mozilla Firefox, SeaMonkey, and Google Chrome.
• ImageCacheViewer won't work if you configure your Web browser to clear the cache after closing it.
• It's recommended to close all windows of your Web browser before using ImageCacheViewer, to ensure that all cache files are saved to the disk.

Start Using ImageCacheViewer

ImageCacheViewer doesn't require any installation process or additional DLL files. In order to start using it, simply run the executable file - ImageCacheViewer.exe

After running ImageCacheViewer, it begins to scan the cache of your Web browser, and displays all cached images from Web sites you visited in the last day. If you want to get images from other days, you can remove or change the last 1-day filter from the 'Advanced Options' window (F9).

After the scanning process is finished, you can also watch the image in the lower pane of ImageCacheViewer, by selecting the desired item in the upper pane.

If from some reason ImageCacheViewer fails to detect the cache of your Web browser properly, you can go to 'Advanced Options' window (F9), and choose the desired cache folders to scan for each Web browser.

Download ImageCacheViewer

Read More

[Sandcat Browser 4.4] The fastest web browser combined with the fastest scripting language packed with features for pen-testers

Sandcat Browser is the fastest web browser combined with the fastest scripting language packed with features for pen-testers. Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web browser with extensions support developed by the Syhunt team. The Sandcat Browser is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua programming language to provide extensions and scripting support.

Some of its unique features include:

• Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
• Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
• Resources tab — allows you to view the page resources, such as JavaScript files and other web files.
• Page Menu extensions — allows you to view details about a page and more.
• Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities and more.

Features inherited from Chromium include:

• Multi-Process Architecture — each tab is its own process
• Developer Tools — in addition to the Chromium Developer Tools, Sandcat comes with a Source Code Editor and its own JavaScript and Lua consoles.

Download Sandcat Browser 4.4

Read More

Tor Browser Bundle 3.5

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well

as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

• All Platforms
• Update Tor to 0.2.4.19
• Update Tor Launcher to 0.2.4.2
  • Bug 10382: Fix a Tor Launcher hang on TBB exit
• Update Torbutton to 1.6.5.2
• Misc: Switch update download URL back to download-easy    

Download Tor Browser Bundle 3.5

Read More

[WhiteHat Aviator] The Web’s most secure and private browser

A few weeks have passed and we’ve had an overwhelmingly positive response from the community for the Aviator Beta. As you can probably expect, the vast majority of comments we received were around building a Windows version or a Linux version. But in the mean time, we wanted to make sure we continued iterating on some of the bugs that have floated in. Aviator version 1.2 has the following changes:

• Fixed gate keeper – unidentified developer code signing issue
• Fixed crash issue with Mac version 10.6
• Fixed plugins installation issue (correcting an error in the User Agent)
• Fixed broken images while adding new user in settings page
• Fixed typo issue in the Protected mode message popup
• Permissions fixed to be safer and less permissive

Download WhiteHat Aviator

Read More

[Browser Password Dump] Tool to instantly recover your lost password from all the popular web browsers

Browser Password Dump is the free command-line tool to instantly recover your lost password from all the popular web browsers.

Currently it can recover stored web login passwords from following browsers.

• Firefox
• Internet Explorer
• Google Chrome
• Chrome Canary/SXS
• CoolNovo Browser
• Opera Browser
• Apple Safari
• Flock Browser
• SeaMonkey Browser
• Comodo Dragon Browser

It automatically discovers installed applications on your system and recovers all the stored web login passwords within seconds.

Download Browser Password Dump v1.0

Read More

[Browser Password Decryptor v5.0] Browser Password Recovery Tool

Browser Password Decryptor is the FREE software to instantly recover website login passwords stored by popular web browsers.

Currently it can recover saved login passwords from following browsers.

Firefox Internet Explorer Google Chrome Google Chrome Canary/SXS CoolNovo Browser Opera Browser Apple Safari Comodo Dragon Browser SeaMonkey Browser Flock Browser

It has both GUI interface as well as command line version making it more useful for Penetration testers and Forensic investigators. Download Browser Password Decryptor v5.0

Read More

[HconSTF Pentest Browser] Open Source Penetration Testing / Ethical Hacking Framework

HconSTF is Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessments.contains webtools which are powerful in doing xss(cross site scripting), Sql injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. Even useful to anybody interested in information security domain - students, Security Professionals,web developers, manual vulnerability assessments and much more.

Download HconSTF Pentest Browser v0.5

Read More