Wednesday, 20 February 2013

VSA: The Virtual Scripted Attacker, Slides online

At Brucon 2012 I had the privilege to present and demo VSA, the Virtual Scripted Attacker, a tool I had been working on with a great team of very talented people for a number of months.

The talk was only 5 minutes long (a Lightning talk) so the presentation is brief.

VSA is the first fully automated DOM XSS scanner ever created, capable of finding many more bugs than any other similar tools.

The VSA Team that made this happen was:
- Dr. Ing. Mario Heiderich (XSS PhD!) <-- For all questions please ask Mario :)
- Gareth Heyes
- Abraham Aranguren
- Alfred Farrugia
- Frederik Braun

The slides can be found here:

I was interviewed about VSA, OWASP OWTF and other things at EuroTrash 32:

Thursday, 14 February 2013

Free Android sec tools, resources and smartphonesdumbapps release

UPDATE: April 2nd - Added new pinning article thanks @an_animal!
UPDATE: Feb 14th - Added (draft, initial) forensics section, Added pinning links, thanks @an_animal for most pinning resources!

Android Security is like IPv6: It will catch you sooner or later :). It is becoming more common for Web Applications to involve a Mobile Application component.  The purpose of this post is to try to get the average infosec person (or competent developer) up to speed asap.

Free Tools
NOTE: You need the Java source to do source code searches for insecure practices. jd-gui is just the best tool for this, unfortunately it's a GUI tool so you'll have to manually open the .jar file and then click on File / Save all Sources it to save all the .java files to disk:
Vulnerable Apps
Useful Presentations
On SSL validation and pinning

Further reading

P.S. If there is something useful I missed above, please let me know and I will update this blog post. Thank you in advance.