I run, contribute to, and support a number of OSS projects because I’m a Communist. I also sometimes write little niche programs that are useful to me, and I’ve found that other people find them useful, too.


I wrote a tool called JavaSnoop for testing the security of thick Java clients, like desktop applications, applets and WebStart programs. It was released at BlackHat USA 2010. The project page is over at Aspect Security.

OWASP AntiSamy

I lead the OWASP AntiSamy project. It’s a library for Java that sanitizes user input, making sure input provided by users can’t contain JavaScript or HTML that could be malicious. It’s been very well received, and has an active user community. Jerry Hoff even made a port for .NET.


If you’ve got arbitrary file uploads¬†to a J2EE web accessible directory, you need pwnshell to maximize your compromise. It’s a single JSP that, when browsed to,¬†delivers the user a Web 2.0 shell for the victimized server. Great for demos!


I’m a contributor to the OWASP ESAPI project, but I only touch code that relates to the built-in WAF.

OWASP Scrubbr

Scrubbr is a GUI program that checks your database for stored XSS attacks. It uses AntiSamy as an engine, and can be used on SQL Server, Oracle or MySQL. It’s gotten some decent press and reviews. I’ve only had to release 1 version. Either that means its perfect or nobody’s using it. Not sure which. You can also skip the project page and go right to the download page.


TrannieCoder is a set of encoding functions for use in attacking web applications. It’s all in JavaScript – nothing to download! It’s not nearly as powerful as Hackvertor, but it does (most) everything I need it to do in a simple UI. It’s the first program I’d ever seen that could generate non-shortest form UTF-8.