Sandcat Browser 4 brings unique features that are useful for pen-testers and web developers. Sandcat is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua programming language to provide extensions and scripting support.
- Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
- Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
- Page Menu extensions — allows you to view details about a page and more.
- Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities and more.
- Cookies and Cache Viewers
- Lua Executor extension — allows you to load and run external Lua scripts
- Page Menu extensions — allows you to view the page headers, cookies, whois information and more
- Request Editor extension with request loading capabilities
- Request Editor (Low-Level version)
- Request Viewer — allows you to view details about a request or replay a request.
- Ruby Console extension
Sandcat Tasks (Extensions that run as isolated processes):
- Fuzzer extensions with multiple modes and support for filters
- CGI Scanner extension
- HTTP Brute Force
- Script Runner extension — can execute scripts in a variety of languages
- Tor Button extension — Anonymity for standard browsing
- XHR Editor
- Various Encoders/Decoders, new Sandcat Console commands, security related search engine options, and more
Web application hacking is based on QuickInject
SQL Injection functions
- Filter Evasion – Database-Specific String Escape (CHAR & CHR). Conversion of strings to quoted strings, conversion of spaces to comment tags or new lines
- Filter Evasion (MySQL-Specific) – String Concatenation, Percent Obfuscation & Integer Representation (eg: ’26′ becomes ‘ceil(pi()*pi())*(!!!pi()+true)+ceil(@@version)’, a technique presented by Johannes Dahse).
- UNION Statement Maker
- Quick insertion of common injections covering DB2, Informix, Ingres, MySQL, MSSQL, Oracle & PostgreSQL
File Inclusion functions
- One-Click Log Poisoning
- Quick Shell Upload code generator
- PHP String Escape (chr)
Cross-Site Scripting (XSS) functions
- Various handy alert statements for testing for XSS vulnerabilities.
- MD5 Hash Crackers – Built-in (offline) and online MD5 hash crackers
- Hash Generators – MD5, SHA-1, SHA-2 (224, 256, 384 & 512), GOST, HAVAL (various), MD2, MD4, RIPEMD (128, 160, 256 & 320), Salsa10, Salsa20, Snefru (128 & 256), Tiger (various) & WHIRLPOOL
- URL Encoder/Decoder
- Hex Encoder/Decoder – Converts a string or integer to hexadecimal or vice-versa (multiple output formats supported).
- Base64 Encoder/Decoder
- CharCode Converter – Converts a string to charcodes (eg: ‘abc’ becomes ’97,98,99′) or vice-versa.
- IP Obfuscator – Converts an IP to dword, hex or octal.
- HTML Escape/Unescape
- HTML Entity Encoder/Decoder – Decimal and hexadecimal HTML entity encoders & decoders
- Text Manipulation functions – Uppercase, Lowercase, Swap Case, Title Case, Reverse, Shuffle, Strip Slashes, Strip Spaces, Add Slashes, Char Separator
- CRC Calculators – CRC16, CRC32, CRC32b, and more.
- Classical Ciphers – ROT13 & ROT[N]
- Checksum Calculators – Adler-32 & Fletcher
- Buffer Overflow String Creator
- Random String & Number Generation functions
- URL Splitter
- Useful Strings – Math, character sets and more.