Free & Open Tools

JavaSnoop Update in Beta

Aspect Security open-sourced a tool called JavaSnoop in 2010. It is a desktop tool that allows security testers to easily test the security of Java applications — and to see what is going on inside of a running Java application.

Using JavaSnoop, you can modify things in real-time, like Strings being passed around (‘admin’ now == true). Originally, JavaSnoop was written to support instrumenting Java 1.6 APIs. Unfortunately, due to changes in Java, JavaSnoop does not work on Java 7 or 8 applications.

Since there are many times when being able to see or change Java runtime data can be useful (like when testing a Java thick client application) we decided to revitalize the project. 

IBM® AppScan® Source Scanner Plugins for Jenkins

If you use Jenkins for continuous integration and IBM® AppScan® Source  for vulnerability scanning, you’ve probably been using scripts to connect the two, scanning for vulnerabilities as code is committed. Yet scripts are difficult to maintain, must be updated for different apps and are unwieldy.  They’re also error prone and unforgiving, taking a lot of time to fix. So we’ve created a tool to make it easier for you to automate AppScan Source scanning from Jenkins.

Image Location Scanner: A Tool to Automate User Image Security

We allow our mobile devices to collect a multitude of data about us in order to improve our everyday lives. We take it for granted; without that GPS data, how would we remember where we parked our car? But often, users don’t understand the extent to which they share personal details on public web applications – especially when it comes to their photos.

Modern cameras embed a variety of information in the photo, from the model of the camera to GPS coordinates. This information is stored in JPEG’s generic “Application Segment” and encoded via Exchangeable Image File format (Exif). 

As web application developers and application security engineers, we can add a measure of security for users by finding and stripping out their data (even when users don’t realize they need to be protected). This post shares our open-source tool, Image Location Scanner, for automating GPS data discovery during security assessments. 

SpyFilter

SpyFilter is a simple demonstration of the power of IAST (Intrinsic Application Security Testing). You can simply drop the jar file into the WEB-INF/lib folder of your web application and then use your application as normal. When you’re ready, you can visit {$appname}/spy to see a sitemap and explore all the traces for your requests. It should be more than sufficient to sync your dynamic (DAST) scanner findings with the source code for better findings.

JavaSnoop

JavaSnoop is an Aspect Security tool that allows security testers to easily test the security of Java applications. JavaSnoop is an example of how Aspect is leading the industry in providing Verification Services, and not just for your web applications.

Enterprise Security API (ESAPI)

The mission of the ESAPI Project is to make simple, strong security controls available to every developer in every programming environment. We are currently focused on web environments and have APIs and reference implementations in Java, .NET, PHP, Classic ASP, and more. ESAPI is a core component of Aspect’s Implementation Services, where we support development organizations by helping them establish their own standard security controls.

CSRF Tester

CSRFTester gives verification testers the ability to quickly determine if a site is vulnerable to CSRF. It allows testers to record a web site transaction and then replay that transaction at a later time in order to prove whether an external attacker could cause the same transaction to successfully execute as part of a CSRF attack. CSRF Tester facilitates detecting CSRF vulnerabilities and proving to interested stake holders that such attacks actually work, and the damage they can cause.

CSRF Guard

CSRFGuard provides an architectural level solution for CSRF, one of the hardest problems to solve in application security. It provides a shield for your entire web application against this dangerous new category of web application flaws, so all of your developers don’t have to provide a CSRF defense mechanism for each individual function within their web applications. CSRFGuard is an example of the types of standard security controls that we can help your organization establish or implement as part of our Implementation Services.

AntiSamy

The OWASP AntiSamy project is a security control that allows developers to safely accept rich HTML data from users, including scripts and CSS, without exposing the site to XSS vulnerabilities. AntiSamy solves what many felt was an ‘unsolvable’ problem before it was released. AntiSamy is an example of the types of standard security controls that we can help your organization establish or implement or as part of our Implementation Services.

WebScarab

WebScarab is a security testing proxy that can be used to verify many aspects of application security in web applications and web services. Aspect supported the development of WebScarab for many years while the lead developer worked for us.