We take a look at the latest additions to the arsenal of security researchers
After our recent year-end retrospectives, it’s time to look back, this time at some of the most compelling open source hacking tools released in the last quarter of 2021.
The arsenals of pen testers, researchers, and bug hunters have been bolstered for 2022 with new tools to detect dependency confusion attacks, find new techniques for smuggling HTTP requests, and discover paired private and public keys that are potentially dangerous.
Read on to find out about some of the best hacking tools that launched at the end of last year.
Google-backed ‘Pip-audit’ probes Python environments for vulnerable packages
The developers of a Google-backed tool that scans Python environments for packages with known vulnerabilities “wanted to create a tool that was not associated with any financial or licensing chain.”
William Woodruff, project manager at New York-based cybersecurity firm Trail of Bits, said The daily sip they also “wanted something that worked well for humans and machines: many tools (like Dependabot, which is also excellent) lock tightly into user or automated workflows.”
“Pip-audit” uses the PyPI JSON API to compare dependencies with the Python Packaging Advisory Database or with the Open Source Vulnerabilities (OSV) database.
Learn more about the pip audit tool
Sandbox helps determine if OWASP ModSecurity CRS can ‘save time’ with new CVEs
The new sandbox for testing payloads against the OWASP ModSecurity Basic Rule Set (CRS) does not require any ModSecurity enclosure installation.
It can help people with a new CVE know if CRS – a set of generic attack detection rules for use with ModSecurity or compatible Web Application Firewalls (WAFs) – “might save them time. “, according to those responsible for the project.
They also stated that the CRS Sandbox can help secure the CRS project itself, “since we can quickly test payloads against various versions and backends to confirm GitHub issues (false negatives, false positives).”
Learn more about the CRS sandbox
Differential fuzzing tool uncovers new techniques for smuggling HTTP requests
A new grammar-based HTTP fuzzer uncovers new techniques for smuggling HTTP requests by generating HTTP requests and applying mutations in order to trigger potential server processing quirks.
Researchers at Northeastern University in Boston developed “T-Reqs” with Akamai’s help and said they quickly discovered a host of new vulnerabilities with the tool.
Their research focused on the smuggling of HTTP requests as a system interaction problem involving two or more HTTP processors in the traffic path.
Learn more about the T-Reqs fuzzing tool
Driftwood detects potentially dangerous encryption keys
“Driftwood” is used to discover paired private and public keys that are potentially dangerous.
Truffle Security developed the tool to allow “security professionals to immediately know if an identified encryption key is a sensitive key” in online repositories.
“The first step to remedying vulnerabilities is knowing them,” said Truffle Security co-founder Dylan Ayrey. The daily sip.
“If people are validating SSL keys today, it’s hard to know. This tool helps infosec professionals quickly find these vulnerabilities so that they can revoke the affected certificates as soon as possible.
Learn more about the Driftwood tool
Dependency Combobulator fights namespace confusion attacks
Dependency Combobulator detects dependency confusion attacks, which have plagued the open source software ecosystem since the technique was disclosed in February 2021.
Unveiled at Black Hat Europe 2021, the modular Python-based framework can be integrated into the software development lifecycle (SDLC) and CI / CD workflows, detecting malicious packages during the validation, construction or release phases of the software. SDLC.
Moshe Zioni, vice president of security research at DevSecOps vendor Apiiro, who developed the toolkit, said Dependency Combobulator can “tackle common scenarios, which can be diverse” and be adapted to detect variations in emerging attacks.
Learn more about Dependency Combobulator
The venerable L0phtCrack password audit tool is open source
The Windows system password audit tool L0phtCrack was opened in October after the venerable utility fell back into the hands of the original owners in June following its unsuccessful acquisition by Terahash.
L0phtCrack, which was released over 20 years ago, can audit Active Directory passwords and import and decrypt Linux, BSD, Solaris, and AIX (Unix-based systems) passwords.
Chris Wysopal, a former member of the hacker collective L0pht Heavy Industries, which built the tool, said The daily sip: “I think this could be a framework for more than just cracking passwords, but rather for the general automation of commonly performed ‘security audit’ tasks. “
Learn more about the L0phtCrack utility
RELATED Latest Web Hacking Tools – Q4 2021