We take a look back at some of the latest offensive security tools that were launched over the past three months

DEF CON has gone virtual this year, but web security enthusiasts can still expect to see a plethora of new hacking tools coming out early next month.

In the meantime, as many in the tech industry around the world have being obliged to work through a period of lockdown, a raft of web security utilities to entice and explore have been released over the last three months.

Here’s our roundup of the latest hacking tools for the second quarter of 2020:

ParamSpider: URL parameter exposure audit tool

First up comes ParamSpider, a new tool to help in the discovery of URL parameter exposure in websites and apps.

The open source tool – put together by independent India-based security researcher Devansh Batham –- automates the process of harvesting parameters in URL addresses, a key step in one methodology of probing websites and applications for vulnerabilities.

Security researchers can then feed data extracted from this tool into a fuzzer in order to find potential vulnerabilities, simplifying what’s traditionally a labour intensive process.

Read more about ParamSpider

InQL helps developers uncover GraphQL vulnerabilities

The process of findings flaws in applications that use GraphQL has been simplified by the release of a new open source tool.

InQL, put together by security researchers at Doyensec, straightens out the path to discovering vulnerabilities in GraphQL, a language initially developed at Facebook to run queries against servers.

A common-place mistake that developers using the declarative language can fall into is to make user models containing confidential fields, such as unredacted password reset tokens. These unredacted tokens can leak in query results.

InQL is available as a standalone application or an extension for Burp Suite.

Read more about InQL

Brim network forensics tool makes navigating large traffic logs easy

An open source desktop application makes it easy to work with large packet capture (pcap) files.

Analysing pcap files can be useful in both network troubleshooting and security incident response. The problem is that these raw data files can easily become massive and unwieldy.

The newly developed Brim utility allows security pros to wade through large packet captures and logs via the Zeek network traffic analysis framework in order to uncover nuggets of useful intelligence.

The network forensics tool was developed by US-based vendor Brim Security.

Steve McCanne, Brim Security’s founder, told The Daily Swig: “Big pcaps are cumbersome but have lots of detail. Zeek logs summarize pcaps well, but there’s no easy way to search them on the desktop, or easily link back to a pcap.

“Brim joins these domains in an easy to use desktop app, that’s open source, so anyone can use it right now,” he added.

Read more about Brim

Picture this: a polymorphic payloads image processing test suite

A new open source tool that allows researchers to trial their cross-site scripting (XSS) payloads in polymorphic images has already netted security researchers $10,000.

Researchers from Doyensec earned the bounty by using the utility to hack Google Scholar.

A polymorphic image file is one that contains additional embedded code.

“The test suite is a first step towards exploring the differences between the most popular image processing libraries when converting a polymorphic image,” Doyensec’s Lorenzo Stella told The Daily Swig.

“Many secure image upload libraries already perform various checks such as validating the image file format, heuristically checking for unwanted bytes in its sections, or cleaning EXIF’s metadata.

“Our tool can facilitate the tedious work of discovering bypasses in security checks implemented by image upload services, hence we expect other researchers to leverage the tool during security testing efforts or bug bounties.”

Read more about this security tool

Cracking CAPTCHAs using machine learning

A recently developed tool applies machine learning techniques to make cracking CAPTCHAs far more straightforward.

CAPTCHA22, a CAPTCHA-cracking server developed by security firm F-Secure, takes the ‘brute’ out of ‘brute-force’ in the process of solving human verification challenges.

CAPTCHAs are challenge-response tests used as gatekeepers by many sites in a bid to differentiate between genuine attempts to sign up to web services by humans and automated requests by bots.

90% accuracy in cracking Microsoft Outlook’s text-based CAPTCHAs using its AI-based CAPTCHA-cracking server, whose name is inspired by the famous WWII-set Joseph Heller novel.

Read more about CAPTCHA22


PREVIOUS EDITION Latest Hacking Tools – Q1 2020