FuseSoft Developer/Security Blog


New year, new site, new products!

Happy new year everyone! As part of the exciting year to come we will be launching a brand new site with a new customer portal to make things easier for our beta testers and normal customers to download and use our products. This blog will also be moving to a new URL but the old one will stay around for a while it just won't be updated anymore.

We will be introducing some new productions soon:

  • Faction Enterprise
  • Faction Lite
  • Faction Projects
  • Arcus Collaboration Server
We will be releasing pricing information for these projects on the site as well.

We will also be closing our beta testing window around the end of January or February and getting everything ready for production! If you have not signed up for the beta there is still time. We would love your feedback before we finish the final version. You can signup via our site at https://www.fusesoftsecurity.com.

Be sure to check back regularly and follow us on twitter @fusesoftllc to stay up to date.


Updates in Faction 1.8

We have added so many new features to Faction 1.8 including  new dashboards, better BurpSuite integration, DOCX Templates/Reports, improved REST API, and better metrics.

If this is your first time learning of FuseSoft and Faction, we specialize in developing software solutions for web and mobile penetration testing teams to enhance assessment collaboration,  remediation and risk tracking, assessment scheduling, and automated report generation. Find out more at https://www.fusesoftsecurity.com. You can also request the free beta and we will provide a demo of all the features and how to use Faction in your assessment process.

New Dashboard and Notifications:

The new dashboard shows all the security assessments assigned to you as well as issues that have assigned for retest/verification of remediation. There is also a section that shows what your current week is like, which assessors your testing with as well as the scope of your assessment this week.

Notifications also alert when Peer Reviews are completed for your assessment reports, when Reports are finished being generated and access to Retest Reports when Verifications/Restests are complete.

Burp Suite Integration:

Most of the same dashboard is available inside BurpSuite so you don't even need to log into the web version when performing your assessments/Verifications. You have the ability to see you assessment queue, verification queue, assessment vulnerability history, and submit vulnerabilities directly from Burp. 

Below is your assessment and verification queues.

Clicking on your current assessment will display the scope and assessment history as well as issues your teammates are discovering in real time.

You can even replay the payloads found by other assessors into your repeater. Every payload saved to Faction will have the option to replay the request inside Burp. This helps not only with your current assessment but also for verification/retests. No longer will you need to find an old burp state to recreate findings for retest. 

Submit Vulnerabilities Directly from BurpSuite :

Any request, response, or scan issue be added directly to Faction from Burp. For instance lets say you find XSS on a site. You can select just the section of the response showing the exploit and have it automatically added into your report. The following example will extract the POST request, the relevant section of the response, and you can add the reproduction steps. We support the Markdown syntax for inserting text and you can search the database for default vulnerabilities(i.e. XSS, SQLi, etc) to add to the assessment. 

Below is the resulting text as shown inside the Faction web application.

And then finally added to the Generated Docx Reports.

Better Collaboration Options:

You can send repeater items, sitemaps, scan issues directly to another user's repeater though Faction. Just right click the request and select the user on your team to receive the payload. They can then replay it with your cookies and information and send it back once a successful payload is found. 

Better Metrics:

You can track risk ratings and vulnerabilities of individual applications as well as campaigns you create. This makes it easy to see the reduction of risk year after year for performing enterprise assessments. 

Better Remediation Tracking:

Know exactly when issues are approaching due dates with the Remediation Queue. You can assign issues to assessors for retest and know when retests are going past due. 

Better Assessment Scheduling:

When scheduling assessments, Faction will alert you when assessors schedules conflict with new assessments when they come up. This ensures your assigning  people who are most readily available to accept new assessment opportunities.

Fully Documented REST API:

Once you have Faction installed, you can navigate to [PATH]/api-docs/ and review and test all the APIs we have made available. This can allow you to tie Faction into other ticketing systems, project management systems, and integrate with other home grown systems. 

Request Your Demo/Beta Today:

You can request a demo to see these features in action and more as well as request the free beta of Faction at https://www.fusesoftsecurity.com.


Intercepting Blackbox Binary Protocols in Mobile Applications with Nope Non-HTTP Proxy

Above is a quick overview of how to set up the Nope Proxy and find the hostnames and ports the application is attempting to communicate with. Then setting up non-http listeners to MITM the connection. The application I found was a free game in the iOS appstore.


Introducing Arcus

Arcus is our new client/server collaboration project for BurpSuite. Arcus allows you to send data back and forth between one or more instances of BurpSuite. You can do the following things.

  1. Send one or many HTTP Requests to another user running BurpSuite.
  2. Send confirmed scan issues to another instance of BurpSuite.
  3. Send your Sitemap to another instance of BurpSuite.

You can send to other Online user's of your team or send these items to another instance of BurpSuite you're logging into on another machine.

Below are a few examples. Notice in the next screenshot that you have a listing of online users that you can send different requests to. The Client shows who is currently online so that they can take the data that you want to send to them. This first example lets you select several items from your site map and send it to another user.

The next example demonstrates how to send your current repeater tab to another user. You can also set a Title for the tab that will display in the other user's repeater. 

If your running BurpSuite Pro then you can send Scan Issues directly to another user. 


NoPE Proxy

Black Hat Arsenal

Formerly known as 'Burp-Non-HTTP-Extension'

These are the details for our new Non HTTP Proxy extension for BurpSuite released at the 2016 Blackhat Arsenal. You can find the link below to download the latest release and visit our github repo for other tools like lister.py that can be used with this tool to make mobile assessments a little easier to MiTM.

Download latest release here


This extension is for those times when Burp just says 'Nope, i'm not gonna deal with this.'. It's actually an acronym for Non-HTTP Protocol Extending Proxy for Burp Suite.
This burp extension adds two new features to BurpSuite.
  1. A configurable DNS server. This will route all DNS requests to Burp or preconfigured hosts. It makes it easier to send mobile or thick client traffic to Burp. You need to create invisible proxy listeners in BurpSuite for the Burp to intercept HTTP traffic or you can use the second feature of this extension to intercept binary/non-http protocols.
  2. A Non-HTTP MiTM Intercepting proxy. This extension allows you to create multiple listening ports that can MiTM server side services. It also uses Burp's CA cert so that if the browser or mobile device is already configured to access SSL/TLS requests using this cert then the encrypted binary protocols will be able to connect without generating errors too. It also provides the ability to automatically match and replace hex or strings as they pass through the proxy or you can use custom python code to manipulate the traffic.

DNS Sever Configuration

The DNS server configuration allows control over the most common DNS settings. You can configure it to send all traffic to the same IP address as Burp or you can use a Custom Hosts File to configure only some hosts to be forward to Burp while others can be forwarded to other hosts.
The DNS server automatically starts with the IP address of the last interface you set in the Interface input box. Changing the interface number will automatically change the IP address. The server will need to be restarted for this change to take effect. The Custom Hosts File is not related at all to your normal hosts file and will over ride it. If the ‘Use DNS Response IP’ checkbos is checked (default) then the extension will resolve all hosts not in the Custom hosts file to which ever IP address is set in the ‘DNS Response IP’ input box. If this box is not checked then the extension will resolve the Real IP address unless it has been overridden in the ‘Custom Hosts File’ 

Non-HTTP MiTM proxy

This proxy has several features built in.
  • All requests and responses are saved to a sqlite database and can be exported or imported into the tool.
  • Automatic Match and Replace Rules that are customizable based on the direction of traffic. (Client to Server, Server to Client, or Both.
  • Match and replace rules support both hex and string replacement.
  • Manual Interception binary protocols and change them before sending them back to the server or client. Just like the normal Burp proxy but with binary streams.
  • Python Code can be used instead of the normal Match and Replace Rules for more advancing mangling of requests and responses.
  • ##Configure the proxies
To perform normal intercepting of binary traffic of applications you can set the DNS IP address to the extension’s IP address and then create a Listener Under ‘Server Config’. This requires that you know the hostname and Port the application is trying to connect. You can switch to the ‘DNS History’ Tab to view the DNS queries. This will five you the host name. To find the port you can run lister.py (https://github.com/summitt/lister) and it will list the client IP and ports that are trying to connect to you. You could also run wireshark but lister.py will filter this information for you.
Once you know the right host name and port you can configure these settings as shown above. If the service is using SSL then you need to export burp’s CA cert to the same folder that Burp is running out of for the extension to find it and generate certs that will pass certificate verification. Then you can check the SSL check box before adding the proxy.
The proxy does not start until ‘enable’ is checked in the table.
Once the proxy is started you can intercept it in real time. All your traffic will be logged into the TCP History Tab and stored locally in a sqlite database. The database can be exported or imported from the Server Configuration Tab. In addition, if Burp crashes or you close burp without saving the TCP History it will still be automatically loaded when you start Burp.

Manual Intercept Traffic

Clicking on the TCP Intercept Tab will allow to enable and disable Manual Intercepting. This will be very similar to intercepting HTTP traffic with burp. If the data sent is just strings then it’s very simple to just replace text or attempt modification to the request. If the application is sending serialized objects or protobuffs then you will need to switch between Raw and Hex mode to ensure the data is encoded correctly and length checks are correct.

Automated Manipulation of Traffic

Once you have your ideal payload you can automatically match and replace in the Automation Tab.
If the ‘Enable Python Manger’ is left uncheck (default) then the Match and Replace Rules are used. It supports both hex, string, and directional replacement. The ‘#’ can be used to comment out a line and rules are updated as soon as you press a single key. If you want to replace the string ‘test’ with ‘hacked’ then you could use the following rule:
This will affect traffic in both directions. You could make it serve to client only by using the following rule:
You could also perform the same replacement as hex using the following rule:

Python Mangler

The previous example if great for quickly fuzzing the request but more complicated examples may require actual coding. The Python Mangler was built to provide fare more control of the requests and responses. You may even be able to import a library to extract the data into a more easily editable form and covert it back before sending to the server. The PyManger must have at the minimum the following structure.
def mangle(input, isC2S):
    return input
The ‘input’ variable is a byte array, the ‘isC2S’ variable is a Boolean value, and the output must also be a byte array (though python seems somewhat forgiving here). This will allow directional specifying changes the traffic. Using PyMangler you can perform the same rule change above by writing the following code.
def mangle(input, isC2S):
    if isC2S:
        input = input.replace(‘test’,’hacked’)
        return input
You can import external libraries, create classes, and do anything you can do in normal python as long as there is a ‘mangle’ function with the same inputs to process the traffic. If you import custom classes they will need to be placed in the same folder that is running BurpSuite unless they are in your path.


FACTION Beta Release!

We are allowing access to our FACTION Beta Release this week. If you would like to kick the tires then submit a request at the FuseSoft Security Website.. We are allowing just the first 50 requests access to the beta and then rolling out to more people over the next couple of weeks. If your not sure you're ready for the beta but what to see what we have to offer then you can fill out the same form but just state that you would like to see a demo instead of being included in the Beta release.

Keep in mind there will be bugs as this is our first release to the public. We will be posting installation instructions and tutorials over the next few days so subscribe to our twitter page to stay up to date and for you to post issues and/or enhancements.

With this release you will have access to our entire FACTION platform that includes the following features:

  1. Assessment Collaboration
  2. Vulnerability Management and Tracking
  3. Assessment Assignment and Scheduling
  4. REST and Python Integration API's
  5. FACTION Social Network (incubating early release)
  6. BurpSuite Integration
  7. Command Line API that integrates WebInspect, Accunetix, AppSpider, and BurpSuite
  8. Graphical Metrics 
  9. Report Designer/Generator

Sign up for the early release here and we will send you a registration link when it's ready.


Hello World

Hello There!
Thanks for visiting FuseSoft; we're glad you're here. First let us tell you a little bit about us and what we are trying to do. We are a StartUp based out of Memphis, TN comprised of security professionals with over 10 years experience working for large Enterprises and Government Organizations. Our Engineers have worked for some of the Fortune 100 companies and have industry experience like no other. We deeply understand the needs and challenges of organizations large and small. We specialize in Application Security, Penetration Testing, and Red/Blue Team activities.

In every organization we have worked, there has always been a need to Report Risk, Track Risk, and Manage your security teams effectively. Many organizations we have worked for have either built a tool to do this internally or have tried to use some COTS product that does most of what they need but is actually quite a bit of a headache to work into the assessment process.

Introducing Faction

Because of this challenge we have all experienced we are excited to present our first product FactionFaction is built by penetration testers, for penetration testers, but with a special attention to project management teams like Engagement and Remediation. Faction focuses on your manual testing teams but also allows automated scan tools to submit results into Faction. Faction is built from the ground up to have a low overhead to learn and use for your entire security team. Take a look at the features our initial product offering already has that your organization can leverage to add efficiency to your assessment process.

  1. Assessors begin with an assessment queue so they can see what assessments are assigned each week with system information and credentials populated in the queue so they are ready to start Hacking when an assessment is assigned. 
  2. Built in Social Network for assessors and team members to share issues they are finding as well as ask questions of the team.
  3. Simple intuitive interface for adding vulnerabilities with screenshots and exploit steps into the Faction
  4. Assessment History so assessors can quickly see open and closed issues when a system is assessed multiple times. This allows the assessor to know which areas to target and ensure they are aware of open issues.
  5.  Customizable Vulnerability Database to auto populate your most common found issues like XSS, SQL Injection, CVE's, etc. Descriptions and Recommendations of issues are auto populated into your reports so you don't have to re-write the same verbiage for every report when these issues are found.
  6. Fully Customizable Report Generation Engine. Upload images, customize themes, and a list of Macros to auto populate things like Assessment Name, Assessor names, List of Discovered Vulnerabilities, etc. We currently have 21 macros defined and more to come.
  7. Assessment Project Management engine for Engagement Teams. Project Managers and Team Leads can assign assessments to available assessors, easily see which assessors are available and how is not, and enter all required information that the assessor will need to start the assessment.
  8. Remediation and Vulnerability Tracking engine. This allows remediation teams to be alerted when vulnerability fixes are coming due, easily assign available assessors to test fixes, and track passing and failing of vulnerability fixes.
  9. Python Based API to integrate with other systems.
  10. Burp Suite integration for Application Security Assessments that shows the user's assessment queue, assessment history, and access to previous assessment vulnerability details.
 Whew! That's a lot of features for an initial product offering and that's just the high level. If managing manual security assessments has been a pain for your organization or you want to enhance your existing assessment process then schedule a demo with us at hello[at]fusesoft[dot]co.