Swag Bag A collection of free tools and resources from the team at NotSoSecure

Exclusive launch for Black Hat attendees for our new technical white paper

Developers often focus on fixing server-side vulnerabilities, given their high-profile status. However, client-side vulnerabilities can be equally catastrophic and demand due attention. Delay in identification and remediation of client-side vulnerabilities can even have serious business impact.

With this whitepaper, we intend to help pentesters identify and understand the importance of client-side vulnerabilities, by talking about various client-side vulnerabilities which pentesters should be looking-for during application assessments, and the strategies that developers can undertake to mitigate those vulnerabilities by making minimal configuration changes.

SQL Injection Lab

In 2015, we had launched a SQLi lab for our attendees to learn SQL injection. The SQLi lab had challenges that ranged from basic to advance levels, covering key SQLi concepts. Though we no longer support our labs, we have decided to make our SQLi lab content freely available to everyone.

Some of the techniques from the lab may not work with the latest database editions, but it will surely help you understand SQL injection better.

Vulnerable Docker VM

Ever fantasized about messing with docker misconfigurations, privilege escalation, and more within a container? Our vulnerable docker VM allows that!

Blacklist3r

The goal of this project is to accumulate secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published keys.

Serialized Payload Generator

Serialization bugs are making rounds across the internet and are widely exploited. However, a common problem that we face as Blackbox pen-testers is the generation of serialized payload, which we can leverage to exploit the serialization bug during web application tests.

Applications are built in different languages like .NET, PHP, Java etc. To exploit deserialization vulnerabilities for applications which are built in different languages, different deserialization exploitation tools are required to be configured. To simplify the payload generation process across various applications, we have been developing an aggregator tool called Serialized Payload Generator internally, which we are now making open source.

Android Application Analyzer

Android Application Analyzer allows analysis of Android application content in the local storage. Our inhouse tool analyzer also allows decompilation of the .apk file, supports Frida ‘universalsslunpinning’ script, allows testers to view the logcat logs in it, and has option to start MobSF instance from the tool for the application in scope.

Cloud Service Enum

As cloud environments are becoming increasingly popular, an evident rise in the use of cloud environment for production is observed.

From the internet, most of the cloud servers look same, however, once you get access to a server, things start to change. Cloud environments use tokens such as API Keys, OAuth tokens or managed identities for identity and access management. These tokens can be obtained by attackers using a variety of techniques such as the Server-Side Request Forgery (SSRF) attack, where a server acts on behalf of the attacker, via attacks like command injection in a cloud hosted application or via accidental disclosure from code sharing sites such as Pastebin or GitHub.

To help pen-testers validate which tokens (API keys, OAuth tokens and more) can access which cloud services, we built cloud enumeration scripts and these scripts are now available to you.

UDP Hunter

UDP Scanning has always been a slow and painful exercise, and if you add IPv6 to it, the choice of tools gets limited too. To alleviate some pain, we build UDP Hunter, a python based open-source network assessment tool, focused on auditing widely known UDP protocols for IPv6 and IPv4 hosts. Having support for 19 different service probes, UDP Hunter takes service enumeration a step further in which it also provides guidance on how a service can be exploited. UDP Hunter provides report in text format and support for more formats is underway!

One Rule to Rule Them All

Our super password cracking rule stood out on top in all our tests, as well as in others we looked at after. We're sorry to disappoint any Lord of the Rings fans ("One ring to rule them all!"), but despite our rule name, there likely won't ever be one rule to rule them all as other rule-based attacks wouldn't exist if there was. Password attacks should always be executed factoring in all variables, in particular the available time, hardware resources, dictionary size and algorithm.

Cloud Security Wiki

Cloud security is critical as organizations today have migrated their IT from on-premises to cloud environments. Security professionals also need to upskill as per these ever-evolving industry requirements and enhance their overall knowledge and understanding of cloud security.

With our cloud security wiki, we aim to assemble cloud security resources for various cloud environments to security researchers, architects, and developers. Our wiki is divided into 3 sections, and it briefly talks about Azure, AWS, and Google Clouds.

With access to our cloud security wiki, you will be able to contribute and enhance our cloud security material.