People love tools. For a guy a freshly released pen-test tool can be a lot like getting your hands on a shiny brand-new toolset, even better if they’re powered in some way. Hint, Christmas is coming soon. :) They’re something you just can’t wait to rip open the box on and start playing around with. So it’s in this spirit that I point out a couple new tools with some features that sound like a lot of fun.
1) PortSwigger released a new version of Burp Suite, the same great stuff plus a whole lot more. The new stuff includes the ability to analyze session token randomness, manual and intelligent decoding and encoding of application data, a utility for performing a visual diff of any two data items, and more. Nice!
2) Stefano Di Paola, of Minded Security, released SWFIntruder. SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime. Most of us have been using odd types of decompilers for a while, but nothing purpose built for the task. For a first release, this one sounds like it has promise.
* And if you are looking for a resource that describes a whole lot more of the web application pen-test tools out there, look no further than Andre “dre” Gironda’s post on “Why crawling doesn’t matter.” He intended the post to educate for a different purpose, but the content is a veritable encyclopedia of pen-testing tools and their capabilities. Many of which I hadn’t even heard of that sound cool as well.