Tachyon is a Fast Multi-Threaded Web Discovery Tool

The main goal of tachyon is to help webadmins find leftover files in their

site installation, permission problems and web server configuration errors.

It is not a vulnerability scanner, or a web crawler.

It provides:
– Plugin support
– SSL support
– Tor support (trough privoxy)
– Robots.txt support
– Common directory lookup
– Fast Multi-Threaded execution
– Automatic variable rate limiter
– Recursive scanning

– A mainstream OS (Windows, Linux, Mac OS X)
– Python 2.7
– urllib3 1.1+ (~# easy_install urllib3)

HOW TO HELP (for sysadmins)
– Run tachyon on your domain
– Run a recursive directory listing of your domain (I don’t need to know what is the domain)
– Send me the result list and the directory listing

– Add empty file detection/tagging
– Fix TOR support.
– Filter targets to remove duplicate scan
– Parseable output for GUI integration (better stats system for live stats)
– Add an match-string=404 mechanism for edge cases
– Add heuristic to limit false positives on recursive mode over bogus install (WEB-INF\***)
– Add callbacks method to plugins
– Support files in robots plugin
– Add support for non-xml /.svn/entries files
– Sitemap.xml plugin
Using tor
– Under Ubuntu:
– sudo apt-get install tor, privoxy
– open /etc/privoxy/conf, go to section 5.2, uncomment the line concerning Tor on localhost
– sudo service privoxy restart
– Enable the tor switch in tachyon
– Be patient, it will be a lot slower.

Download : Zipball  |  Tarball

Defending Against SQL Injection

SQL Injection (SQLi) is an attack methodology designed to provide hackers with access to database assets.  SQLi takes advantage of poorly secured web applications to create a connection to the database.  This is done by inputting a SQL command into an input field of a web application.  Once an “injection hole” is found, hackers are free to “explore” the database in search of database vulnerabilities they can exploit.

Network-based defenses, such as Web Application Firewalls (WAFs), are one line of defense against SQLi attacks.  However, they are limited by their ability to keep pace with the latest SQLi attack signatures.  The experienced hacker will eventually find a way through these perimeter defenses..

Read more in Herehttp://appsecinc.com [PDF format]