ProGuard - Java class file Shrinker, Optimizer, Obfuscator and Preverifier

ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. Finally, it preverifies the processed code for Java 6 or higher, or for Java Micro Edition. 

Some uses of ProGuard are:

• Creating more compact code, for smaller code archives, faster transfer across networks, faster loading, and smaller memory footprints.
• Making programs and libraries harder to reverse-engineer.
• Listing dead code, so it can be removed from the source code.
• Retargeting and preverifying existing class files for Java 6 or higher, to take full advantage of their faster class loading.

ProGuard's main advantage compared to other Java obfuscators is probably its compact template-based configuration. A few intuitive command line options or a simple configuration file are usually sufficient. The user manual explains all available options and shows examples of this powerful configuration style.

ProGuard is fast. It only takes seconds to process programs and libraries of several megabytes. The results section presents actual figures for a number of applications.

ProGuard is a command-line tool with an optional graphical user interface. It also comes with plugins for Ant, for Gradle, and for the JME Wireless Toolkit.

What is shrinking?

Java source code (.java files) is typically compiled to bytecode (.class files). Bytecode is more compact than Java source code, but it may still contain a lot of unused code, especially if it includes program libraries. Shrinking programs such as ProGuard can analyze bytecode and remove unused classes, fields, and methods. The program remains functionally equivalent, including the information given in exception stack traces.

What is obfuscation?

By default, compiled bytecode still contains a lot of debugging information: source file names, line numbers, field names, method names, argument names, variable names, etc. This information makes it straightforward to decompile the bytecode and reverse-engineer entire programs. Sometimes, this is not desirable. Obfuscators such as ProGuard can remove the debugging information and replace all names by meaningless character sequences, making it much harder to reverse-engineer the code. It further compacts the code as a bonus. The program remains functionally equivalent, except for the class names, method names, and line numbers given in exception stack traces.

What is preverification?

When loading class files, the class loader performs some sophisticated verification of the byte code. This analysis makes sure the code can't accidentally or intentionally break out of the sandbox of the virtual machine. Java Micro Edition and Java 6 introduced split verification. This means that the JME preverifier and the Java 6 compiler add preverification information to the class files (StackMap and StackMapTable attributes, respectively), in order to simplify the actual verification step for the class loader. Class files can then be loaded faster and in a more memory-efficient way. ProGuard can perform the preverification step too, for instance allowing to retarget older class files at Java 6.

What kind of optimizations does ProGuard support?

Apart from removing unused classes, fields, and methods in the shrinking step, ProGuard can also perform optimizations at the bytecode level, inside and across methods. Thanks to techniques like control flow analysis, data flow analysis, partial evaluation, static single assignment, global value numbering, and liveness analysis, ProGuard can:

• Evaluate constant expressions.
• Remove unnecessary field accesses and method calls.
• Remove unnecessary branches.
• Remove unnecessary comparisons and instanceof tests.
• Remove unused code blocks.
• Merge identical code blocks.
• Reduce variable allocation.
• Remove write-only fields and unused method parameters.
• Inline constant fields, method parameters, and return values.
• Inline methods that are short or only called once.
• Simplify tail recursion calls.
• Merge classes and interfaces.
• Make methods private, static, and final when possible.
• Make classes static and final when possible.
• Replace interfaces that have single implementations.
• Perform over 200 peephole optimizations, like replacing ...*2 by ...<<1.
• Optionally remove logging code.

The positive effects of these optimizations will depend on your code and on the virtual machine on which the code is executed. Simple virtual machines may benefit more than advanced virtual machines with sophisticated JIT compilers. At the very least, your bytecode may become a bit smaller.

Some notable optimizations that aren't supported yet:

• Moving constant expressions out of loops.
• Optimizations that require escape analysis (DexGuard does).

Download ProGuard

Read More

Web Application Protection - Tool to detect and correct vulnerabilities in PHP web applications

WAP 2.0 is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) and with a low rate of false positives. WAP detects and corrects the following vulnerabilities:

• SQL Injection (SQLI)
• Cross-site scripting (XSS)
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
• Directory Traversal or Path Traversal (DT/PT)
• Source Code Disclosure (SCD)
• OS Command Injection (OSCI)
• PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reaches some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected with the insertion of the fixes (small pieces of code) in the source code. WAP is written in Java language and is constituted by three modules:

• Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.


• False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive. Then, the Logistic Regression algorithm receives them and classifies the instance as being a false positive or not (real vulnerability).


• Code Corrector: Each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created.     

Download WAP

Read More

MagicTree - Penetration Tester Productivity Tool

Have you ever spent ages trying to find the results of a particular portscan you were sure you did? Or grepping through a bunch of files looking for data for a particular host or service? Or copy-pasting bits of output from a bunch of typescripts into a report? We certainly did, and that's why we wrote MagicTree - so that it does such mind-numbing stuff for us, while we spend our time hacking.

MagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and (yeah!) report generation. In case you wonder, "Tree" is because all the data is stored in a tree structure, and "Magic" is because it is designed to magically do the most cumbersome and boring part of penetration testing - data management and reporting.

Installation

No installation is required for MagicTree. The application is distrubuted as a single JAR file which has to be executed with JRE. Just save the file on your desktop. Double-click on it to execute it or, for less user-friendly OSes, issue “java -jar MagicTree.jar’ command.

Download MagicTree

Read More

Burp Suite Professional v1.6 - The leading toolkit for web application security testing

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Changelog v1.6

Burp Suite Free Edition contains significant new features added since v1.5, including:

• Support for WebSockets messages.
• Support for PKCS#11 client SSL certificates contained in smart cards and physical tokens.
• A new Extender tool, allowing dynamic loading and unloading of multiple extensions.
• A new powerful extensibility API, enabling extensions to customize Burp’s behavior in much more powerful ways.
• Support for extensions written in Python and Ruby.
• A new BApp Store feature, allowing quick and easy installation of extensions written by other Burp users.
• An option to resolve DNS queries over a configured SOCKS proxy, allowing access to TOR hidden services.
• Generation of CSRF PoC attacks using a new cross-domain XHR technique.
• New options for SSL configuration, to help work around common problems.
• Optional unpacking of compressed request bodies in the Proxy.
• Support for .NET DeflateStream compression.
• New and improved types of Intruder payloads.
• New Proxy interception rules.
• New Proxy match/replace rules.
• Improved layout options in the Repeater UI.
• An SSL pass-through feature, to prevent Burp from breaking the SSL tunnel for specified domains.
• Support for the Firefox Plug-n-hack extension.
• An option to copy a selected request as a curl command.

Burp Suite Professional contains a number of bugfixes and tweaks, added since the last beta version, including:

• An occasional bug causing misplaced highlights on payloads in Scanner issues has been fixed.
• A bug in which restoring default settings for the Extender tool didn’t unload any currently running extensions has been fixed.
• A display bug affecting the rendering of binary content (such as images) in the raw view of the HTTP message editor has been fixed.
• A bug which prevented the automatic backup on exit feature from functioning in headless mode has been fixed.
• In previous versions, Burp stored its preferences in separate locations for each major version. This caused persisted settings to be lost on upgrading to a new major version. This behavior has been modified, and from v1.6 onwards major versions will store their preferences in the same location. As a workaround to preserve settings from earlier releases, Pro users can launch the earlier release, save a state file containing their preferences, then launch the new release and load the state file.

Download Burp Suite Professional v1.6

Read More

[IPhone Analyzer] IPhone Forensics Tool

iPhone Analzyer allows you to forensically examine or recover date from in iOS device. It principally works by importing backups produced by iTunes or third party software, and providing you with a rich interface to explore, analyse and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the original data.

Features

• Supports iOS 2, iOS 3, iOS 4 and iOS 5 devices
• Multi-platform (Java based) product, supported on Linux, Windows and Mac
• Fast, powerful search across device including regular expressions
• Integrated mapping supports visualisation of geo-tagged information, including google maps searches, photos, and cell-sites and wifi locations observed by the device (the infamous "locationd" data)
• Integrated support for text messages, voicemail, address book entries, photos (including metadata), call records and many many others
• Recovery of "deleted" sqlite records (records that have been tagged as deleted, but have not yet been purged by the device can often be recovered),/li>
• Integrated visualisation of plist and sqlite files
• Includes support for off-line mapping, supporting mapping on computers not connected to the Internet
• Support for KML export and direct export to Google Earth
• Browse the device file structure, navigate directly to key files or explore the device using concepts such as "who", "when", "what" and "where".
• Analyse jail broken device directly over SSH without need for backup (experimental)

Download IPhone Analyzer

Read More

[Xelenium] Security Testing with Selenium

Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool 'Selenium' as its engine and has been built using Java swing.

Xelenium has been designed considering that it should obtain very few inputs from users in the process of discovering the bugs.

Selenium – Webdriver is an open source functional testing tool and is very powerful and flexible. More details on Selenium can be found here: http://seleniumhq.org/

Download Xelenium

Read More

[DirBuster] Brute Force Directories and Files Names on Web/Application Servers

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)

Download DirBuster

Read More

[jSQL Injection v0.4] Java tool for automatic database injection

jSQL Injection is a lightweight application used to find database information from a distant server.

jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

Version 0.4 features:

• GET, POST, header, cookie methods
• Normal, error based, blind, time based algorithms
• Automatic best algorithm selection
• Multi-thread control (start/pause/resume/stop)
• Progression bars
• Shows URL calls
• Simple evasion
• Proxy setting
• Distant file reading
• Webshell deposit
• Terminal for webshell commands
• Configuration backup
• Update checker
• Admin page checker
• Brute forcer (md5 mysql...)
• Coder (encode decode base64 hex md5...)
• Supports MySQL 

Download jSQL Injection v0.4

Read More

[JSQL v0.3] Java Tool for Automatic Database Injection

jSQL Injection is a lightweight application used to find database information from a distant server.

jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

Version 0.2 features:

• GET, POST, header, cookie methods
• normal, error based, blind, time based algorithms
• automatic best algorithm selection
• thread control (start/pause/resume/stop)
• expose URL calls
• simple evasion
• data retrieving progression bar
• proxy setting
• supports MySQL

Next release v0.3 will include:
+ distant file reading [sqli]
+ webshell deposit [sqli]
+ terminal to run webshell commands [gui]
+ configuration backup [gui]
+ Updates checking [gui]
+ user interface tweaks [gui]

Next work:
+ distant table writing [sqli]
+ distant file writing [sqli]
+ reverse tcp shell deposit [sqli]
+ right elevation [sqli]
+ speed increase (non encoding pass): 50% faster [sqli]
+ control all running tasks in a tab [gui]
# speed test comparison with other injection tools [dev]
# automatic code testing (JUnit) [dev]
# wiki pages [site]

https://code.google.com/p/jsql-injection/

Download JSQL v0.3

Read More

[jSQL] SQLi automática con Java

jSQL es una herramienta gratuita y de código abierto construida en Java para inyecciones SQL automáticas. Con una interfaz muy sencilla y fácil de usar para el usuario.

Características:

• Soporte para metodos GET, POST, header y cookie.
• Tipos de inyección: normal, error based, blind, time based.
• Detección de algoritmos automática.
• Muestra el progreso para recibir datos
• Opciones para detener, pausar o reanudar operaciones.
• Soporte para Proxy.
• Evasión
• Disponible para Linux, Windows, etc.
• Soporte solo para MySQL

Actualmente se encuentra en la versión 0.2

Página del proyecto: http://code.google.com/p/jsql-injection/
Descargas: http://adf.ly/14645Y

Read More

[jSQL Injection] Java based automated SQL injection tool

jSQLi is java based free SQL Injection Tool. It is very easy for user to retrieve database information from a vulnerable web server.

SQL Injection features:

• GET, POST, header, cookie methods
• normal, error based, blind, time based algorithms
• automatic best algorithms detection
• data retrieving progression
• proxy setting
• evasion
• for now supports MySQL

Download it from here:
http://adf.ly/14645Y

Read More