Software

HTCAP

htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes.
It also features a small but powerful framework to quickly develop custom fuzzers with less than 60 lines of python.
Github

HTCRAWL

Nodejs module build on top of Puppetteer for crawling, scraping and scanning of single page applications (SPA).
Github

CROPDESIGNER

Cropdesigner is a software that takes a line drawing image and converts each line to a set of GPS coordinates and shows them on google maps.

Vulnerabilities

Mac OS X GateKeeper bypass

On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily bypass Gatekeeper in order to execute untrusted code without any warning or user's explicit permission.
CVE: CVE-2019-8656

TorMoil – Deanonymize Tor Browser Users

Tor Browser version 7.0.8, and probably prior, for Mac OS X and Linux, is affected by an information disclosure vulnerability that leads to full de-anonymization of website visitors using just a single html tag (no js)
CVE: CVE-2017-16541

Squirrelmail Remote Code Execution

Squirrelmail version <= 1.4.22 is vulnerable to a remote code execution vulnerability (authenticated).
CVE: CVE-2017-7692

FULL LIST (24)

Misc.

Update: MacOS X Gatekeeper bypass Fixed!

22 Jul 2019

Apple finally fixed it! https://support.apple.com/en-gb/HT210348
The following CVE has been assigned: CVE-2019-8656

MacOS X Gatekeeper bypass

24 May 2019

Easy and reliable way to bypass Gatekeeper on MacOS X. It seems that Apple won't release any patch or solution for this ;(
Some press: Wired | The Hacker News | Threat Post | Bleepingcomputer


Proudly introducing HTCRAWL

23 February 2019

HTCRAWL, the crawling engine used by HTCAP, is now available as nodejs module!
With HTCRAWL you can easly crawl, scan and scrape single page applications or roll your own DOM-XSS scanner with less than 60 lines of code.
Github


const htcrawl = require('htcrawl');

// Get instance of Crawler class
const crawler = await htcrawl.launch("https://htcrawl.org");

// Print out the url of ajax calls
crawler.on("xhr", e => {
  console.log("XHR to " + e.params.request.url);
});

// Start crawling!
crawler.start();

		

Proudly sharing the video of my TEDx speech

11 December 2019

I'm proud to share the video of my speech at TEDx Treviso. The speech is in italian and has not yet been translated by the TED staff.


HTCAP now features its own http fuzzers

7 January 2019

HTCAP can now discover SQLi, XSS command injection, file inclusion and more without the use of external tools.
A small but powerful framework to develop custom fuzzers has been added on top of HTCAP.
More infos here


def fuzz(self):
    vulnerabilities = []
    # Initialize mutations iterator. 
    # A mutation is an object that holds the original request with a parameter replaced with a payload
    mutations = self.get_mutations(self.request, payloads)
    for m in mutations:
        try:
            resp = m.send()
        except Exception as e:
            self.sprint("Error: %s" % e)
            continue

        if not resp.body:
            continue

        if self.is_vulnerable(resp.body):
            vulnerabilities.append(str(m))
            mutations.next_parameter()

    return vulnerabilities
		

HTCAP version 1.1 is out!

14 November 2018

Goodbye phantomjs and thanks for the great job you did!! And.. welcome Puppetteer!!
Now HTCAP uses headless chrome as browser engine with full support for ECMA script 6. The crawling engine has been rewritten from scratch to take advantage of async/await features.
Github


TorMoil: all the details revealed

10 September 2018

I'm finally proud to reveal all the details about TorMoil. The Firefox team finally fixed the vulnerability that leads to TorMoil on Tor Browser.
Plus, another similar vulnerability exists on Windows but it needs user interaction to be exploited: details here


TorMoil: TorBrowser unspecified critical security vulnerability

30 October 2017

TorBrowser version 7.0.8, and probably prior,for Mac OS X and Linux, is affected by an unspecified critical security issue.
According to the Tor Project, further details will be released in the near future.

Some press: The Hacker News | The Inquirer | Threat Post | Bleepingcomputer


Mac OS X Local Javascript Quarantine Bypass

27 September 2017

Mac OS X contains a vulnerability that allows the bypass of the Apple Quarantine and the execution of arbitrary Javascript code without restrictions.
The vulnerability was trivial as hell and Apple choosed to SILENTLY FIX it by removing the vulnerable component from the operating system.. Come on Apple, don't be too ashamed of your stupid mistakes.

Some press: Bleepingcomputer | Security week

Update: 22 July 2019

I accidentally discovered that Apple documented this fix later in November 2017 (https://support.apple.com/en-us/HT208144). The following CVE was assigned: CVE-2017-13819


Squirrelmail Remote Code Execution

19 April 2017

Squirrelmail version <= 1.4.22 is vulnerable to a remote code execution vulnerability because it fails to sanitize a string before passing it to a popen call.
It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.

Some press: The Register | Threat Post | Helpnet Security


Microsoft Remote Desktop Client for Mac Remote Code Execution

7 December 2016

A vulnerability exists in Microsoft Remote Desktop for Mac that allows a remote attacker to execute arbitrary code on the target machine.


Htcap beta 1.0, now it’s a vulnerability scanner

26 February 2016

Htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes. Github


Symphony CMS Multiple Vulnerabilities

8 February 2016

The contentAjaxQuery class suffers from a SQL-Injection vulnerability because the request parameter "query" is used to build a sql query without beeing properly sanitized.


ProjectSend multiple vulnerabilities

26 January 2016

ProjectSend (previously cFTP) suffers from multiple vulnerabilities

Lychee remote code execution

15 April 2015

Lychee version 2.7.1 and probably below suffers from remote code execution vulnerability.