Contact GDS Labs

Send all tool questions or comments to us via email:

tools [at]


Accepting Un-Trusted Certificates using the iOS Simulator

Script for easily importing a trusted CA certificate into the iOS Simulator's trust store. This provides application testers the ability to intercept SSL traffic when using the simulator for testing. More information can be found on the GDS Blog.

The add_ca_to_iossim python script can be download from the GDS page on GitHub.


Perl script for automating Padding Oracle Attacks. PadBuster provides the capability to decrypt arbitrary ciphertext, encrypt arbitrary plaintext, and perform automated response analysis to determine whether a request is vulnerable to padding oracle attacks. More information can be found on the GDS Blog.

PadBuster can be downloaded from the GDS page on GitHub.


The GDS Burp API exposes a Python object interface to requests/responses recorded by Burp (whether Proxy/Spider/Repeater, etc). The API is used to parse Burp logs, creating a list of "Burp objects" that contain the request and response data and related meta-data. For more information see the GDS Blog.

Burpee can be downloaded from the GDS page on GitHub.


A command line tool that analyzes the obfuscated Javascript produced by Google Web Toolkit (GWT) applications in order to enumerate all services and method calls. More information can be found on the GDS Blog.

GwtEnum can be downloaded from the GDS page on GitHub.


A command line tool that parses a Google Web Toolkit (GWT) RPC payload and generates a new payload value with all fuzzable values identified. Gwtparse provides the ability for testers to customize how these values are identified in order to easily incorporate the results into the web application fuzzer of their choice. More information can be found on the GDS Blog.

GwtParse can be downloaded from the GDS page on GitHub.

IIS Secure Parameter Filter (SPF)

SPF is an application security module designed for Microsoft IIS web servers. SPF uses cryptography to dynamically secure embedded application parameters at runtime (Query String Values, Form Inputs & Cookies).

SPF does not require any changes to the underlying application code and provides instant protection against parameter tampering, URL manipulation and replay attacks. SPF also includes the capability to define forbidden input patterns (Black-Lists) using regular expressions to block known attack signatures.

SPF can be downloaded from CodePlex.


Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services. More information can be found on the GDS Blog.

Blazentoo can be downloaded from the GDS page on GitHub.


Transformer.NET is a bi-directional HTTP transformation module for Microsoft IIS6 & IIS7. The current Beta version provides support for regex-based URL re-writing, allowing URLs in both incoming HTTP requests and outbound HTTP responses to be re-written on-the-fly. This flexibility gives website administrators the ability to alter website URLs without the need to modify any underlying website/application source code.

Transformer.NET supports inbound and outbound transformation of content rendered with any HTTP handler on IIS7 (PHP, Classic ASP, ASP.NET, Java, ColdFusion, etc). Outbound transformation support on IIS6 is limited to only ASP.NET applications (this is a limitation of IIS6), however incoming requests to any handler can be re-written. Additional information can be found on the GDS Blog.

Transformer.NET can be downloaded from the GDS page on GitHub.

WCF Binary Soap Plug-In for Burp

This is a Burp Suite plug-in designed to encode and decode WCF Binary Soap request and response data ("Content-Type: application/soap+msbin1). There are two versions of the plug-in available. For more information read the GDS Blog post on this topic.

Burp Request Plug-In: This plug-in works with Burp 1.3 and later, and allows binary requests to be edited on the fly. This version does not support editing of response data. For editing response data, use the "chained" version below.

WCF Binary Soap Request Plug-In for Burp (1.3 and later).

Chained WCF Burp Plug-In: This plug in supports editing of both requests AND responses. The caveat to using this version of the plug-in is that you'll need to chain two burp instances together as a workaround for a limitation in the Burp Extender API.

Chained WCF Binary Soap Plug-In for Burp (All Versions).

Deflate Burp Plugin

The Deflate Burp Plugin is a plug-in for Burp Proxy (it implements the IBurpExtender interface) that decompresses HTTP response content in the ZLIB (RFC1950) and DEFLATE (RFC1951) compression formats.

At present, Burp Proxy only unpacks gzip compressed data. The plug-in will attempt to decompress every HTTP response body it handles, irrespective of whether the "Content-Encoding: deflate" HTTP response header is present. If decompression fails, the original response message will be passed on by the plug-in unchanged.

In addition to the source and binaries for the plug-in, the download also includes an example servlet that generates RFC1950 and RFC1951 compressed HTTP response bodies for testing the plug-in.

More information can be found on the GDS Blog.

Deflate Burp Plugin can be downloaded from the GDS page on GitHub.

AntiXSS for Java

AntiXSS for Java is a port of the Microsoft Anti-Cross Site Scripting (AntiXSS) v1.5 library for .NET applications. The library requires Java 1.4 or higher, but has no other prerequisites.

For those not familiar with the Microsoft AntiXSS library, it is an output encoding library for avoiding Cross Site Scripting vulnerabilities. Specifically it is intended to safely encode information written to the user's browser within a specific context (i.e. if writing a string into the HTML of a page, you need to use the correct function - HtmlEncode). Unlike some other solutions the library implements a white listing approach, and encodes everything except characters known to be harmless. For example, the string <script> will be HTML encoded as &#60;script&#62;.

A description of the methods supported, and the encoding performed, can be found on the GDS Blog.

AntiXSS for Java can be downloaded from the GDS page on GitHub.

SQL Brute

SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn't require non-standard libraries. A walkthrough of using SQLBrute can be found on Justin Clarke's personal blog.

SQLBrute can be downloaded from the GDS page on GitHub.

Content from "Network Security Tools"

The following are some of the tools developed for the book Network Security Tools, Writing, Hacking, and Modifying Security Tools, published April 2005 by O'Reilly (ISBN 0-596-00794-9). These examples, along with the rest of the examples from the book, are also available from O'Reilly.

PMD SQL Injection Rules

PMD is a static source analysis tool for analysing Java source code. In Chapter 6 of Network Security Tools, Joe Hemler discussed how to write rules for PMD that could be used to detect SQL Injection vulnerabilities.

PMD SQL Injection Rules can be downloaded from the GDS page on GitHub.

Simple/Extended Scanner

In Chapters 8 and 9 of Network Security Tools, Brian Holyfield explores the design and implementation of a simple web application scanning (Chapter 8) and exploitation (Chapter 9) engine in Perl. Chapter 8 is the sample chapter for this book, and is available online from O'Reilly.