XSS-Me does Cross Site Scripting (XSS) injection against the forms on a page. This will send a predefined set of attack strings against the website to see if the site reflects the content back to the user.

SQL Inject-Me is a tool to do some SQL injection tests against an application. It will send a series of SQL commands and attempt to make the database return an error message to the user.

Anyway, check out the Exploit-Me site and give the tools a try. If you find any issues you can report them to bugs at securitycompass.com.

Oh, and as an added bonus, the tools are being released under the GPL v3. We’re working on getting bug tracking, mailing lists and all that other infrastructure setup for the project.

Spent some time puttering around shellcode.org which has some pretty good info, and read through some of the shellcode community postings on livejournal.

It brings up some interesting sounding programs and possibilities. The one that caught my eye was a source code scanner to find bad format string usage in programs (Can't remember the name or url at the moment). It would be an interesting exercise to extend that concept, except write a full on c compiler. After you get the code into your abstract syntax tree start the analysis from there. You can keep track of what is the dirty data and how its used and probably do other bounds checks and that kinda thing. Not sure how well it would work, but it seems like an interesting idea at least.

Anyway, more to look at and more to read. If you've got some interesting links, send em my way. Articles, URLs, tools, whatever.