Re: Web Application Penetration Testing Tools

From: Bill Pennington (billp@boarder.org)
Date: Wed Oct 08 2003 - 12:06:35 EDT

• Next message: Martin Eiszner: "Re: Web Application Penetration Testing Tools"
• Previous message: Ollie Whitehouse: "@stake Whitepaper Release: War Nibbling: Bluetooth Insecurity"
• In reply to: Brian E: "Web Application Penetration Testing Tools"
• Next in thread: Martin Eiszner: "Re: Web Application Penetration Testing Tools"
• Reply: Martin Eiszner: "Re: Web Application Penetration Testing Tools"
• Reply: Daniel Nylander: "Re: Web Application Penetration Testing Tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think you are going to need to use a proxy based tool. Rewriting HTML
and embedding it in more HTML like you have to do with browser based
tools is extremely difficult. Javascript, Frames, Style sheets etc...
can all mess with the rendering.

Not to mention sites that do crazy things like having multiple <body>
tags, yes I am working on a site that has that now...

I posted a message a while back about proxy based tools on the
Webappsec list. Tools to look at are Achilles, Webscarab/exodus, Spike
proxy, and penproxy. There are a number of others.

On Tuesday, October 7, 2003, at 06:24 PM, Brian E wrote:

>
>
> When performing penetration testing of web applications I have used a
> minibrowser from www.aignes.com for a very long time.
>
> This simple application allows me to browse a web application and
> easily see links, form elements, cookies, a log of actual commands
> being sent back and forth and more. The ability to manipulate cookies
> and form elements makes it very useful.
>
> Unfortunately, it's support as a web browser is limited so I can't
> test all web applications (such as embeded scripts and frames).
>
> Does anyone know of some other good tools for auditing web
> applications with the ability to manipulate form data and cookies
> before being sent to the server?
>
> Preferably, I'm looking for something based on Windows that is browser
> based (as opposed to proxy based) but am still open to all platforms
> and methods.
>
> -----------------------------------------------------------------------
> ----
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> -----------------------------------------------------------------------
> -----
>
>

---
Bill Pennington, CISSP, CCNA
Chief Technology Officer
WhiteHat Security Inc.
http://www.whitehatsec.com
---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------

• Next message: Martin Eiszner: "Re: Web Application Penetration Testing Tools"
• Previous message: Ollie Whitehouse: "@stake Whitepaper Release: War Nibbling: Bluetooth Insecurity"
• In reply to: Brian E: "Web Application Penetration Testing Tools"
• Next in thread: Martin Eiszner: "Re: Web Application Penetration Testing Tools"
• Reply: Martin Eiszner: "Re: Web Application Penetration Testing Tools"
• Reply: Daniel Nylander: "Re: Web Application Penetration Testing Tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT