FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
☐ β˜† βœ‡ KitPloit - PenTest Tools!

BucketLoot - An Automated S3-compatible Bucket Inspector

By: Zion3R β€” January 29th 2024 at 11:30


BucketLoot is an automated S3-compatible Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.

The tool can scan for buckets deployed on Amazon Web Services (AWS), Google Cloud Storage (GCS), DigitalOcean Spaces and even custom domains/URLs which could be connected to these platforms. It returns the output in a JSON format, thus enabling users to parse it according to their liking or forward it to any other tool for further processing.

BucketLoot comes with a guest mode by default, which means a user doesn't needs to specify any API tokens / Access Keys initially in order to run the scan. The tool will scrape a maximum of 1000 files that are returned in the XML response and if the storage bucket contains more than 1000 entries which the user would like to run the scanner on, they can provide platform credentials to run a complete scan. If you'd like to know more about the tool, make sure to check out our blog.

Features

Secret Scanning

Scans for over 80+ unique RegEx signatures that can help in uncovering secret exposures tagged with their severity from the misconfigured storage bucket. Users have the ability to modify or add their own signatures in the regexes.json file. If you believe you have any cool signatures which might be helpful for others too and could be flagged at scale, go ahead and make a PR!

Sensitive File Checks

Accidental sensitive file leakages are a big problem that affects the security posture of individuals and organisations. BucketLoot comes with a 80+ unique regEx signatures list in vulnFiles.json which allows users to flag these sensitive files based on file names or extensions.

Dig Mode

Want to quickly check if any target website is using a misconfigured bucket that is leaking secrets or any other sensitive data? Dig Mode allows you to pass non-S3 targets and let the tool scrape URLs from response body for scanning.

Asset Extraction

Interested in stepping up your asset discovery game? BucketLoot extracts all the URLs/Subdomains and Domains that could be present in an exposed storage bucket, enabling you to have a chance of discovering hidden endpoints, thus giving you an edge over the other traditional recon tools.

Searching

The tool goes beyond just asset discovery and secret exposure scanning by letting users search for custom keywords and even Regular Expression queries which may help them find exactly what they are looking for.

To know more about our Attack Surface Management platform, check out NVADR.



☐ β˜† βœ‡ KitPloit - PenTest Tools!

Sysreptor - Fully Customisable, Offensive Security Reporting Tool Designed For Pentesters, Red Teamers And Other Security-Related People Alike

By: Zion3R β€” July 14th 2023 at 12:30


Easy and customisable pentest report creator based on simple web technologies.

SysReptor is a fully customisable, offensive security reporting tool designed for pentesters, red teamers and other security-related people alike. You can create designs based on simple HTML and CSS, write your reports in user-friendly Markdown and convert them to PDF with just a single click, in the cloud or on-premise!


Your Benefits

Write in markdown
Design in HTML/VueJS
Render your report to PDF
Fully customizable
Self-hosted or Cloud
No need for Word

SysReptor Cloud

You just want to start reporting and save yourself all the effort of setting up, configuring and maintaining a dedicated server? Then SysReptor Cloud is the right choice for you! Get to know SysReptor on our Playground and if you like it, you can get your personal Cloud instance here:

οš€
Sign up here


SysReptor Self-Hosted

You prefer self-hosting? That's fine! You will need:

  • Ubuntu
  • Latest Docker (with docker-compose-plugin)

You can then install SysReptor with via script:

curl -s https://docs.sysreptor.com/install.sh | bash

After successful installation, access your application at http://localhost:8000/.

Get detailed installation instructions at Installation.





☐ β˜† βœ‡ KitPloit - PenTest Tools!

Metlo - An Open-Source API Security Platform

By: Zion3R β€” May 3rd 2023 at 12:30

Secure Your API.


Metlo is an open-source API security platform

With Metlo you can:

  • Create an Inventory of all your API Endpoints and Sensitive Data.
  • Detect common API vulnerabilities.
  • Proactively test your APIs before they go into production.
  • Detect API attacks in real time.

Metlo does this by scanning your API traffic using one of our connectors and then analyzing trace data.


There are three ways to get started with Metlo. Metlo Cloud, Metlo Self Hosted, and our Open Source product. We recommend Metlo Cloud for almost all users as it scales to 100s of millions of requests per month and all upgrades and migrations are managed for you.

You can get started with Melto Cloud right away without a credit card. Just make an account on https://app.metlo.com and follow the instructions in our docs here.

Although we highly recommend Metlo Cloud, if you're a large company or need an air-gapped system you can self host Metlo as well! Create an account on https://my.metlo.com and follow the instructions on our docs here to setup Metlo in your own Cloud environment.

If you want to deploy our Open Source product we have instructions for AWS, GCP, Azure and Docker.

You can also join our Discord community if you need help or just want to chat!

Features

  • Endpoint Discovery - Metlo scans network traffic and creates an inventory of every single endpoint in your API.
  • Sensitive Data Scannning - Each endpoint is scanned for PII data and given a risk score.
  • Vulnerability Discovery - Get Alerts for issues like unauthenticated endpoints returning sensitive data, No HSTS headers, PII data in URL params, Open API Spec Diffs and more
  • API Security Testing - Build security tests directly in Metlo. Autogenerate tests for OWASP Top 10 vulns like BOLA, Broken Authentication, SQL Injection and more.
  • CI/CD Integration - Integrate with your CI/CD to find issues in development and staging.
  • Attack Detection - Our ML Algorithms build a model for baseline API behavior. Any deviation from this baseline is surfaced to your security team as soon as possible.
  • Attack Context - Metlo’s UI gives you full context around any attack to help quickly fix the vulnerability.

Testing

For tests that we can't autogenerate, our built in testing framework helps you get to 100% Security Coverage on your highest risk APIs. You can build tests in a yaml format to make sure your API is working as intendend.

For example the following test checks for broken authentication:

id: test-payment-processor-metlo.com-user-billing

meta:
  name: test-payment-processor.metlo.com/user/billing Test Auth
  severity: CRITICAL
  tags:
    - BROKEN_AUTHENTICATION

test:
  - request:
      method: POST
      url: https://test-payment-processor.metlo.com/user/billing
      headers:
        - name: Content-Type
          value: application/json
        - name: Authorization
          value: ...
      data: |-
        { "ccn": "...", "cc_exp": "...", "cc_code": "..." }
    assert:
      - key: resp.status
        value: 200
  - request:
      method: POST
      url: https://test-payment-processor.metlo.com/user/billing
      headers:
        - name: Content-Type
          value: application/json
      data: |-
        { "ccn": "...", "cc_exp": "...", "cc_code": "..." }
    assert:
      - key: resp.s   tatus
        value: [ 401, 403 ]

You can see more information on our docs.

Why Metlo?

Most businesses have adopted public facing APIs to power their websites and apps. This has dramatically increased the attack surface for your business. There’s been a 200% increase in API security breaches in just the last year with the APIs of companies like Uber, Meta, Experian and Just Dial leaking millions of records. It's obvious that tools are needed to help security teams make APIs more secure but there's no great solution on the market.

Some solutions require you to go through sales calls to even try the product while others have you to send all your API traffic to their own cloud. Metlo is the first Open Source API security platform that you can self host, and get started for free right away!

We're Hiring!

We would love for you to come help us make Metlo better. Come join us at Metlo!

Open-source vs. paid

This repo is entirely MIT licensed. Features like user management, user roles and attack protection require an enterprise license. Contact us for more information.

Development

Checkout our development guide for more info on how to develop Metlo locally.



❌