Re: Looking for good Brute-Force Web form auditing tool

From: Jordan Wiens (jwiens@nersp.nerdc.ufl.edu)
Date: Mon Jun 12 2006 - 14:50:14 EDT


We just finished an eval between Appscap, Webinspect, and Cenzic
Hailstorm (ironically, they're the current sponsor for the pen-test
mailing list, so just check out the footer of the email for their urls).

While we went with Cenzic, I'm not sure that any of those products are
really what you need. All of those products are built for true
application penetration testing and would be overkill for simple
brute-forcing. And while I know you said free wasn't a big deal, these
programs are very expensive if you just need a brute forcer.

Have you tried THC-Hydra? http://www.thc.org/thc-hydra/

While it's still free (so you don't get that fuzzy feeling that you're
getting something worthwhile just because you spent money on it), it's
also Free in the sense that you get the source code. So you can't
complain that you don't think it's trustworthy since it's easy enough to
  verify for yourself what it's doing if you've got the ability to read
and understand code.

If you're not familiar with linux and want to try Hydra, look into any
one of the many linux security distros on a CD. I'm sure you'll find a
few with new versions of Hydra. Heck, some of them even come with QEMU
wrappers so you can boot the OS inside of windows.

-- 
Jordan Wiens, CISSP
UF Security Engineer
(352)392-2061
Art Cooper wrote:
> There are two products I have used that can do this.  They arenıt cheap, but
> reporting is good with both of them.
> 
> APPSCAN is one:
> http://www.watchfire.com/products/appscan/default.aspx
> 
> The other one is WEBINSPECT:
> http://www.spidynamics.com/products/webinspect/index.html
> 
> I personally like WEBINSPECT better.  You can really glean a lot of
> knowledge on web apps/forms using these tools.
> 
> Best Regards,
> Coop
> 
> Arthur B. Cooper Jr.  ³COOP²
> Innerwall, Senior Network Engineer
> Office: (719) 264-2737‹Email: acooper@innerwall.com
> 2060 Briargate Parkway, Suite 339, Colorado Springs, CO 80920
> Website: http://www.innerwall.com
> 
> From: <loki74@gmail.com>
> Date: 9 Jun 2006 14:59:25 -0000
> To: <pen-test@securityfocus.com>
> Subject: Looking for good Brute-Force Web form auditing tool
> 
> Hello all,
> 
>  Looking for a good web form brute force auditing tool.  I must be able to
> use word lists, passwords and have extensive logging.  Not really
> comfortable with all the freeware (as I have know idea what it is really
> doing). I have tried brutus, and burp suite though.  I am looking for a
> faster, more robust tool.  Free is the not the most important factor, speed
> and reporting is. 
> 
> 
> Thanks,
> 
> T
> 
> ----------------------------------------------------------------------------
> --
> This List Sponsored by: Cenzic
> 
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to
> rise, 
> you need to proactively protect your applications from hackers. Cenzic has
> the 
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ----------------------------------------------------------------------------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:04 EDT