We take a look at the latest additions to the security researchers’ arsenal
The early months of 2022 are behind us, and as security professionals prepare for the upcoming conference season, it’s high time to load up the arsenal of security tools.
During the dark and wet Northern Hemisphere winter, security researchers worked hard to build up a stockpile of new tools and utilities – many of which were released as open source software.
So, without further ado, here’s our latest quarterly roundup of hacking tools available to pen testers, enterprise security specialists, and other IT security professionals at the start of Q2 2022.
Lab environment to learn about API security
A test platform designed to help users learn more about API security has been released for the open source community.
API security has come to the fore in the fight to improve enterprise web security in recent years.
vAPI, also known as the “Vulnerable Interface to Unwanted Programming”, is designed to showcase the OWASP Top Ten APIs, creating a safe environment to observe their behaviors.
Developed by Holm Security researchers, vAPI offers an open-source PHP-based interface, available on GitHub, which can run as a self-hosted API via PHP, MySQL, and PostMan, or as a Docker image.
Learn more about the vAPI API Security Testing Platform
Non-Commercial Phishing Email Scanner Tool
A non-commercial tool that automates the process of analyzing phishing emails has the potential to help organizations systematically protect themselves against scams.
ThePhish extracts indicators from suspicious emails, including IP addresses, email addresses, domains, URLs, and attachments. This information is fed into Cortex, an active response engine.
The tool, developed by Emanuele Galdi, a researcher at Italian cybersecurity firm SecSI, integrates with incident response platform, TheHive. The positive results obtained by ThePhish are exchanged via the Malware Information Sharing Platform (MISP).
Learn more about The Phish email scam tool
Fuzzing tool to speed up network application testing
A prototype tool to speed up the process of testing networking applications and protocols has been developed by researchers at Imperial College London.
SnapFuzz is designed to overcome time constraints that can inhibit the process of testing network applications.
As a fuzzing framework, it tries a wide variety of input values and monitors the output for anomalies which may reveal potential bugs.
Learn more about the SnapFuzz Network Application Testing Tool
The task of protecting applications against instructions from malicious packages can be made easier by introducing three tailor-made utilities.
The tools – npm-secure-install, packet checkerand npm_issues_statistic – are designed to validate whether package versions can be trusted as well as monitor applications for inclusion of problematic dependencies.
The genesis for the development of the utilities by software company JFrog came from a recent incident in which a developer intentionally modified two NPM packages, crashing these applications and thus disrupting any application that depended on them.
Learn more about JFrog’s NPM security tools
Discover a weak text writing decloaking tool
Anyone who thought that rasterizing text offered an effective method of masking or redacting content will have their illusions dispelled by a new hacking tool.
Unreadctor is able to take redacted pixelated text and discover the “plain text” that the fragile security technique is supposed to hide.
Developer Bishop Fox said the tool demonstrates that rasterization is “an unnecessary, evil, insecure, and foolproof way to leak your sensitive data.”
Learn more about the Unreadctor weak redaction unmasking tool
AWS Utility Protects Against Dangling Elastic IP Takeovers
Answering the question ‘who are you going to call?’ to deal with a troublesome class of AWS security issues comes Ghostbuster.
Ghostbuster, a tool developed by Australian cybersecurity firm Assetnote, lists all public IP addresses associated with an organization’s AWS accounts before checking with DNS records that point to Elastic IP addresses that an organization does not own.
The approach provides a “foolproof way” to detect dangling elastic IP takeovers, a class of subdomain takeover attacks.
In addition to hosting malicious content or exploiting a “trusted” domain for phishing attacks, attackers may attempt to use this tactic in offers to claim the SSL certificates of a subdomain and other similar shenanigans.
Learn more about the AWS Ghostbuster security tool
RELATED Latest Web Hacking Tools – Q1 2022