Commercial Web Application Scanner Benchmark

There’s a great post doing a feature comparison of commercial & open source scanners over at the Security Tools Benchmarking blog.

It appears as though IBM Rational’s AppScan and W3AF are the winners in the commercial and free/open source categories, respectively.  Read the full analysis here.

How Big is Your Haystack?

I’m not the world’s biggest fan of Steve Gibson and his Security Now! podcast.  Recently someone notified me of a neat website that Mr. Gibson created.  The website which he calls Haystack is a ‘brute force search space calculator’.

So what IS the “Search Space Calculator” ?

This calculator is designed to help users understand how many passwords can be created from different combinations of character sets (lowercase only, mixed case, with or without digits and special characters, etc.) and password lengths. The calculator then puts the resulting large numbers (with lots of digits or large powers of ten) into a real world context of the time that would be required (assuming differing search speeds) to exhaustively search every password up through that length, assuming the use of the chosen alphabet.


pandaflux’s list o’ recommended browser plugins


  • googlesharing: encrypts your google traffic and routes it through a proxy where it is combined with many other people.
  • https-everywhere: Automatically enables a secure connection for websites that supports it.
  • better privacy: Among other things, Better Privacy will delete “flash cookies” that are difficult to manage otherwise.


  • disconnect: Stop third parties and search engines from tracking the webpages you go to and searches you do.
  • click & clean: Deletes your browsing history, typed URLs, Flash cookies, all traces of your online activity to protect your privacy.
  • KB SSL Enforcer: Automatic security, browse encrypted.
  • NOREF: Suppress Referrer (referer) for Hyperlinks

GoogleSharing: a firefox addon

While reading the latest issue of Information Security Magazine I came across an article of a tool Moxie Marlinspike released at Blackhat this past summer, Googlesharing

Marlinspike has introduced several tools
that help people concerned about privacy avoid giving up personal information.
GoogleSharing, a Firefox add-on, acts as an anonymizing proxy service and is
designed to evade Google analytics and prevent Google from tracking searches. 

GoogleSharing firefox plugin
GoogleSharing firefox plugin

Firesheep: Firefox session hijacking plugin

From Threatpost:

“a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature. ”

Download Firesheep here:

NodeZero Linux Live CD

I usually rely on Backtrack as my security Swiss army knife.  However I recently learned of NodeZero Linux (formerly Ubuntu Pentest Edition-PE).  Once I give it a full shake down I’ll post a review of how I think it stacks up against BT.

NodeZero is Ubuntu based linux designed as a complete system which can also be used for penetration testing. NodeZero uses Ubuntu repositories so your system will be always up to date. The system setup is basic and it’s primarily designed for disk installation and customization as you want.

With NodeZero comes around 300 tools for penetration testing and set of basic services which are needed in penetration testing.

Generating an SSL server report card

The kind folks over at Qualys are running a site which will “grade” an SSL server based on its security configuration.  The site below will generate a report card of a site’s SSL configuration based on factors such as the certificate chain, cipher suites, and protocols allowed.

I learned of the site by listening to Qualys’ Ivan Ristic, primary author of Apache’s mod_security, on the Eurotrash Security podcast.