NoMore and 1=1--

In order to minimize the time required to perform Web Application Tests and have a handy repository of attack patters M and I wrote this small tool that we hence call No more and 1=1.


The tool comes in two flavors (so far) the stand alone version (a java app) and the Webscarab Proxy attached version, we may bundle the tool with more proxies in the near future. 

The tool is simple, its great value comes in the definitions file which is totally customizable.

Downloads
  • Standalone Version here
  • Webscarab Version here
  • Attack definitions file here

Standalone Version
Requirements
  • A Java Runtime Machine is required
  • Put the definitons.csv file (included in the zip file) in the same directory where this program is being run.
  • Please do edit that file according to your needs but Respect the file syntax in definitions.csv: Scope,category,injection
  • No commas are allowed in the scope and category names or parsing of definitions file will fail.)
  • Please respect the definitions order (sequential scope and category) or the menu will be over-populated.
Usage
  • You should use the jar file: java -jar NoMore_AND_1=1.jar or just double click on it.
  • Navigate through the menus to select your injection.
  • Click on your desired injection and it will copied to your systems clipboard.
  • Paste it wherever (+v).
  • Have fun apptesting and never care again of retyping the same commands over and over again.
Source Code
  • Source code here. NoMore.java
Webscarab Version
Requirements
  • A Java Runtime Machine is required
  • Put the definitons.csv file (included in the zip file) in the same directory where this program is being run.
  • Please do edit that file according to your needs but Respect the file syntax in definitions.csv: Scope,category,injection
  • No commas are allowed in the scope and category names or parsing of definitions file will fail.)
  • Please respect the definitions order (sequential scope and category) or the menu will be over-populated.
Usage
  • You should use the jar file: java -jar webscarab.jar or just double click on it.
  • When in an injection pane right click and a contextual menu with No more menu will appear. See screenshots section.
  • Click on your desired injection and it will copied to your systems clipboard.
  • Paste it wherever (+v).
  • Have fun apptesting and never care again of retyping the same commands over and over again.
Source Code
  • Source code here
  • The whole changes made are included in:

/src/org/owasp/webscarab/util/swing/TextComponentContextMenu.java


Tested in
  • Debian (KDE, DWM)
  • WinXP
Screenshots
JPG - 28 kb

Also mentioned in
http://preachsecurity.blogspot.com/2010/02/web-hacking-gets-even-easier.html
http://www.elladodelmal.com/2010/02/semi-trues.html
http://seclists.org/fulldisclosure/2010/Feb/278?utm_source=twitterfeed&utm_medium=twitter
http://friendfeed.com/dilipkrbe/c8a96a97/rt-jeremiahg-securityshell-nomore-and-1-web
http://www.mindmeister.com/11594999