Tools, tools, tools.

Maltego GUI is off-the-freaking-chain. Check it out at

Also, the folks at Security Compass have released some new firefox plugins which should aid in detecting SQL injection and XSS. I’m between gigs, but will give these a good test drive the next time I’m tasked with a web application.

If one doesn’t already exist, I’d like an open source “Reporting Framework”. A metasploit for power reporters. I spend at least 10% of my consulting hours on reporting. I hate reporting. Feed this tool your reports and get back a standard report in the template of your choosing. All cross-referencing with CVE, CVSS, BID, NIST, etc. should be automagic. Relevant references should be automatically inserted (links to patches, standards, etc.). There should even be an option for uploading screen shots which are tagged to an IP/FQDN and service…

Enjoy the Holiday of your choosing,


  • uzuzz

    Jesus Chist why java?

  • dmitryc

    yeah, I feel ya :) . I had to bite the java-phobe bullet with Paros. It is a pretty GUI though, isn’t it?

  • dre

    OWASP has a ReportGenerator tool

    What I would like to see are tools that are CWE-Compatible. I’m surprised that you left CWE out of your list, as I find it to be much more important than any of the others, since it’s getting to the root-cause of every vulnerability.

    Ideally, the output of design or code review would be issues in the development team’s bug tracking system. The output of an architectural review should be trouble tickets or change requests in a change management system. Many of the CWE-Compatible tools are adding this functionality. Some output to XML, so that the information can be imported into a tracking system or used as filters for a WAF. One of my favorite tools (besides beSTORM, of course), Cenzic Hailstorm, supports adding issues directly to an issue tracking system using a curl-like interface (it is a web application injection tool after all).

    I’m also curious if you’ve seen W3AF, which has some excellent reporting capabilities (and looks to be very easy to extend this functionality).

  • dmitryc

    I’ll have to try ReportGenerator – thanks. I’ve not ever used CWE either, but am intrigued with using it to generate WAF rules as well as it’s potential for code audits. I’ve used beSTORM (thanks to Securiteam guys), but have never used Hailstorm. I have w3af installed since Jun 10 (according to timestamp on the binary)….to my immense shame, I’ve yet to use it :-