QuickInject is an extensive toolkit for manual web application security assessment. QuickInject allows to tailor injection requests that you can send or load using Sandcat, and can be used for performing a number of different operations, such as URL and POST Data Manipulation, Filter Evasion, as well as Referer and User-Agent Spoofing, and HTTP Header Manipulation. In addition to the capability to build requests, QuickInject can also be used to execute JavaScript in a loaded page. The first release of QuickInject is focused on File Inclusion, XSS and SQL Injection and comes with the following options:
SQL Injection functions
Filter Evasion - Database-Specific String Escape (CHAR & CHR). Conversion of strings to quoted strings, conversion of spaces to comment tags or new lines
Filter Evasion (MySQL-Specific) - String Concatenation, Percent Obfuscation & Integer Representation (eg: '26' becomes 'ceil(pi()*pi())*(!!!pi()+true)+ceil(@@version)', a technique presented by Johannes Dahse).
UNION Statement Maker
Quick insertion of common injections covering DB2, Informix, Ingres, MySQL, MSSQL, Oracle & PostgreSQL
Version: 1.0 (Included with Sandcat) / License: Freeware
Pen-Tester Tools
Author: Syhunt
This extension pack includes:
Cookies and Cache Viewers
JavaScript Executor extension — allows you to load and run external JavaScript files
Lua Executor extension — allows you to load and run external Lua scripts
Page Menu extensions — allows you to view the page headers, cookies, whois information and more
Request Editor extension with request loading capabilities
Request Editor (Low-Level version)
Request Viewer — allows you to view details about a request or replay a request.
Ruby Console extension
Sandcat Tasks (Extensions that run as isolated processes):
Fuzzer extensions with multiple modes and support for filters
CGI Scanner extension
HTTP Brute Force
Script Runner extension — can execute scripts in a variety of languages
Tor Button extension — Anonymity for standard browsing
XHR Editor
Various Encoders/Decoders, new Sandcat Console commands, security related search engine options, and more
Screenshots
Source Editor
JavaScript Runner
Lua Runner
Ruby Console
Task in Progress
Multi-Encoder
Fuzzer Launcher
Fuzzer in Progress
Fuzzer Results
Version: 2.0 (Included with Sandcat) / License: Freeware
Syhunt Code Extension Pack
Author: Syhunt
Syhunt Code is a static code analysis tool that scans web applications for several kinds of vulnerabilities, including Cross-Site Scripting (XSS) and SQL Injection. It also identifies key areas of the code, such as key HTML tags, AJAX / JavaScript, entry points and interesting keywords, which can help accelerate a code review.
More details about it can be found here. This is a tool that can be used to harden government and education websites and open source web applications against web application security attacks.
Screenshots
SQL Injection Detection
XSS Detection
Secure Code
Preferences Screen
Version: 5.0 / License: Enterprise (must be ordered at Syhunt)