Features

• Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
• Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
• Resources tab — allows you to view the page resources, such as JavaScript files and other web files.
• Page Menu extensions — allows you to view details about a page and more.
• Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities and more.

Pentesting tools

• Cookies and Cache Viewers
• JavaScript Executor extension — allows you to load and run external JavaScript files
• Lua Executor extension — allows you to load and run external Lua scripts
• Page Menu extensions — allows you to view the page headers, cookies, whois information and more
• Request Editor extension with request loading capabilities
• Request Editor (Low-Level version)
• Request Viewer — allows you to view details about a request or replay a request.
• Ruby Console extension
• Sandcat Tasks (Extensions that run as isolated processes):
  • Fuzzer extensions with multiple modes and support for filters
  • CGI Scanner extension
  • HTTP Brute Force
• Script Runner extension — can execute scripts in a variety of languages
• Tor Button extension — Anonymity for standard browsing
• XHR Editor
• Various Encoders/Decoders, new Sandcat Console commands, security related search engine options, and more

• SQL Injection functions
  • Filter Evasion – Database-Specific String Escape (CHAR & CHR). Conversion of strings to quoted strings, conversion of spaces to comment tags or new lines
  • Filter Evasion (MySQL-Specific) – String Concatenation, Percent Obfuscation & Integer Representation (eg: ’26′ becomes ‘ceil(pi()*pi())*(!!!pi()+true)+ceil(@@version)’, a technique presented by Johannes Dahse).
  • UNION Statement Maker
  • Quick insertion of common injections covering DB2, Informix, Ingres, MySQL, MSSQL, Oracle & PostgreSQL
• File Inclusion functions
  • One-Click Log Poisoning
  • Quick Shell Upload code generator
  • PHP String Escape (chr)
• Cross-Site Scripting (XSS) functions
  • Filter Evasion – JavaScript String Escape (String.fromCharCode), CSS Escape
  • Various handy alert statements for testing for XSS vulnerabilities.
• Hash functions
  • MD5 Hash Crackers – Built-in (offline) and online MD5 hash crackers
  • Hash Generators – MD5, SHA-1, SHA-2 (224, 256, 384 & 512), GOST, HAVAL (various), MD2, MD4, RIPEMD (128, 160, 256 & 320), Salsa10, Salsa20, Snefru (128 & 256), Tiger (various) & WHIRLPOOL
• Encoders/Decoders
  • URL Encoder/Decoder
  • Hex Encoder/Decoder – Converts a string or integer to hexadecimal or vice-versa (multiple output formats supported).
  • Base64 Encoder/Decoder
  • CharCode Converter – Converts a string to charcodes (eg: ‘abc’ becomes ’97,98,99′) or vice-versa.
  • IP Obfuscator – Converts an IP to dword, hex or octal.
  • JavaScript Encoders – Such as JJEncode by Yosuke HASEGAWA
• HTML functions
  • HTML Escape/Unescape
  • HTML Entity Encoder/Decoder – Decimal and hexadecimal HTML entity encoders & decoders
  • JavaScript String Escape
• Text Manipulation functions – Uppercase, Lowercase, Swap Case, Title Case, Reverse, Shuffle, Strip Slashes, Strip Spaces, Add Slashes, Char Separator
• Time-Based Blind Injection code – Covering MySQL, MSSQL, Oracle, PostgreSQL, Server-Side JavaScript & MongoDB
• CRC Calculators – CRC16, CRC32, CRC32b, and more.
• Classical Ciphers – ROT13 & ROT[N]
• Checksum Calculators – Adler-32 & Fletcher
• Buffer Overflow String Creator
• Random String & Number Generation functions
• URL Splitter
• Useful Strings – Math, character sets and more.