The latest articles on DEV Community by True Positives, LLC. (@truepositives). https://dev.to/truepositives https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F7901%2F860cb0d4-56e0-4b4e-812e-088e9ed4625e.png https://dev.to/truepositives en Brian Pavicic Wed, 22 Nov 2023 02:51:38 +0000 https://dev.to/truepositives/clearing-the-way-for-proactive-code-security-testing-21n https://dev.to/truepositives/clearing-the-way-for-proactive-code-security-testing-21n <p>To clients and the broader AppSec community, it is <a href="https://www.true-positives.com">True Positive's</a> mission to deliver precise and affordable software security testing solutions. </p> <p>One offering enormous potential benefits to the DEV community is the <a href="https://www.ptk-plus.io/owasp-ptk">OWASP Penetration Testing ToolKit (aka PTK)</a>, an <strong>open source tool made freely accessible</strong> by T+. </p> <p>With PTK, you can unlock breakthrough browser-enabled security analysis to supercharge security testing to: </p> <ul> <li>Effortlessly discover potential security bugs.</li> <li>Go deeper to verify bugs and expose hidden threats.</li> <li>Inform remediation and test fixes.</li> </ul> <p><strong>OWASP PTK: Key Capabilities &amp; Features</strong></p> <p><strong>Insightful Information:</strong> Get one-click access to insightful information about the target application, including its technology stack, Web Application Firewalls (WAFs), security headers, crawled links, and authentication flow.</p> <p><strong>In-Browser Runtime Scanning:</strong> PTK offers Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA) scanning within your browser. Detect SQL Injections, Command Line Injections, Stored and Reflected Cross-Site Scripting (XSS) vulnerabilities, and more. It even identifies complex threats like SQL Authentication Bypass, XPath injections, and JWT attacks.</p> <p><strong>Proxy with Traffic Log:</strong> PTK includes a proxy with a detailed traffic log. This log allows you to repeat any request in the R-Builder or send it to the R-Attacker. You can automate the execution of Cross-Site Scripting (XSS), SQL injection, or OS Command injections.</p> <p><strong>Request Builder for Request Tampering:</strong> The extension includes R-Builder, a powerful tool that allows you to craft and manipulate HTTP requests with precision. It empowers you to execute complex maneuvers, including HTTP request smuggling attacks, for a comprehensive assessment of application vulnerabilities.</p> <p><strong>Cookie Management:</strong> PTK includes a cookie editor, allowing you to manage cookies efficiently. Add, edit, remove, block, protect, export, and easily import cookies.</p> <p><strong>Decoder/Encoder Utility:</strong> The integrated utility helps you manage encoding and decoding from and to various formats, including UTF-8, Base64, MD5, and more.</p> <p><strong>Swagger.IO Integration:</strong> We've integrated Swagger.IO to enhance your understanding of API documentation. Easily create requests to interact with API endpoints.</p> <p><strong>Selenium Integration:</strong> With Selenium integration, PTK aids in identifying security risks at the early stages of the development cycle, ensuring robust security from the outset.</p> <p><strong>Tool Roadmap</strong>. <strong>Coming December 2023</strong>.</p> <p><strong>JWT Inspector:</strong> We've added a crucial new feature – JWT Inspector. It empowers you to analyze JSON Web Tokens (JWT), build new tokens using different algorithms (including None algorithm), and generate public and private keys for JWT signing.</p> <p><a href="https://www.ptk-plus.io/owasp-ptk">Get the OWASP PTK open-source tool free here</a>.</p> <p><a href="https://www.ptk-plus.io">Explore the feature-enhanced edition, PTK Plus(PTK+) </a>. </p> <p>Question? ](<a href="mailto:ptk-support@ptk-plus.io">ptk-support@ptk-plus.io</a>)</p> security opensource testing api