What is it?

Websecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback from an active open source community.

How it works

Websecurify uses several key technologies combined together to achieve the best possible result when performing automatic and manual tests. At the core of the platform sits a Web Browser. This allows Websecurify to gain a fine-grained control over the targeted web application and as such detect vulnerabilities that are difficult to find with other tools.

The carefully engineered user interface is simple to use but powerful. All tools and platform features are integrated with each other. This allows smooth transition from one type of task to another and it also makes it easier to work with the complex flow of data, gathered during the penetration test.

The built-in vulnerability scanner and analyzation engine are capable of automatically detecting many types of web application vulnerabilities as you proceed with the penetration test. The list of automatically detected vulnerabilities include:

SQL Injection Local and Remote File Include Cross-site Scripting Cross-site Request Forgery Information Disclosure Problems Session Security Problems many others including all categories in the OWASP TOP 10 Websecurify design principles emphasise on ease of use and extensibility. Virtually every single platform component can be extended with the help of add-ons and plugins. This means that task and business specific customizations can be introduced without the need to worry about cross-platform issues, deployment, internationalization and future support.

Why Websecurify

Websecurify is a carefully engineered piece of software, which packs years of hands-on penetration testing experience. It is actively used and improved on a daily basis by full-time penetration testers and web security researchers. Unlike other products, all Websecurify features are designed to be easy to use and to aid the penetration testing process from start to finish in any possible scenario during automated, semi-automated or fully manual penetration tests.

The penetration testing platform is the only one of its kind. Websecurify is in effect built on the top of a browser and can understand all modern web technologies including upcoming web standards and current technologies such as HTML5.

Google Chrome

The Websecurify security testing engine is also available for the Google Chrome (Chromium) web browser. This extension provides intuitive web application security testing environment which is easy to use by everyone: from casual users who want to check the security of their web apps to experienced professionals.

Websecurify for the Google Chrome Web Browser is a perfect fit for busy web developers and penetration testers who are working on the next big thing but must keep the security perimeter tight. For more information visit Chrome Webstore.

Main Features

Some of the main features of Websecurify include:

Available for all major platforms (Windows, Mac OS, Linux) Simple to use user interface Builtin internationalization support Easily extensible with the help of add-ons and plugins Exportable and customisable reports with any level of detail Moduler and reusable design Powerful manual testing tools and helper facilities Team sharing support Powerful analytical and scanning technology Built-in service and support integration Scriptable support for JavaScript and Python Extensible via many languages including JavaScript, Python, C, C++ and Java

More information can be found at the Websecurify website

A somewhat scary bit of research has been done by Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson. They found that the current methods for clearing hard drives of their data (ie: removing of sensitive material or just clearing it for selling or handing down to someone else for example) doesn't work for SSD (solid state drives), which are very commonly found as USB Thumb drives and more commonly shipping or being put into new systems in place of standard hard drives.

While sanitizing entire disks and individual files is well-understood for hard drives, flash-based solid state disks have a very different internal architecture, so it is unclear whether hard drive techniques will work for SSDs as well.

We empirically evaluate the effectiveness of hard drive-oriented techniques and of the SSDs' built-in sanitization commands by extracting raw data from the SSD's flash chips after applying these techniques and commands. Our results lead to three conclusions: First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs.

This third conclusion leads us to develop flash translation layer extensions that exploit the details of flash memory's behavior to efficiently support file sanitization. Overall, we find that reliable SSD sanitization requires built-in, verifiable sanitize operations.

More information can be found as a Video, PDF or also a summary article at TheRegister