I run, contribute to, and support a number of OSS projects because I’m a Communist. I also sometimes write little niche programs that are useful to me, and I’ve found that other people find them useful, too.

JavaSnoop

I wrote a tool called JavaSnoop for testing the security of thick Java clients, like desktop applications, applets and WebStart programs. It was released at BlackHat USA 2010. The project page is over at Aspect Security.

OWASP AntiSamy

I lead the OWASP AntiSamy project. It’s a library for Java that sanitizes user input, making sure input provided by users can’t contain JavaScript or HTML that could be malicious. It’s been very well received, and has an active user community. Jerry Hoff even made a port for .NET.

OWASP ESAPI WAF

I’m a contributor to the OWASP ESAPI project, but I only touch code that relates to the built-in WAF.

OWASP Scrubbr

Scrubbr is a GUI program that checks your database for stored XSS attacks. It uses AntiSamy as an engine, and can be used on SQL Server, Oracle or MySQL. It’s gotten some decent press and reviews. I’ve only had to release 1 version. Either that means its perfect or nobody’s using it. Not sure which. You can also skip the project page and go right to the download page.

XSDChecker

Simple little .NET program that validates an XML against a given XSD. I can’t believe Google doesn’t turn up something like this in 5 seconds. You can download the whole .NET project here for development or the pre-built executable. Go to the “home page” to see a screenshot.

TrannieCoder

TrannieCoder is a set of encoding functions for use in attacking web applications. It’s all in JavaScript – nothing to download! It’s not nearly as powerful as Hackvertor, but it does (most) everything I need it to do in a simple UI. It’s the first program I’d ever seen that could generate non-shortest form UTF-8 (also called “overlong” or “invalid”), which is useful in attacking all kinds of everything.