From: Daniel Nylander (mail-lists@lidkoping.net)
Date: Wed Oct 08 2003 - 13:44:05 EDT
I used to work with performance testing of large webapplications such as
Internetbanks etc..
We used our self-developed tools called PureLoad. PureLoad is a load
generator written entirely in Java.
PureLoad has a built-in proxy which records all traffic and all variables
sent in and out of a webapplication.
It gives you a (almost) complete overview of the traffic between browser and
webserver (even HTTPS).
Download and test for your self.. there should be a 30-day evaluation
version
http://www.pureload.com/
Cheers,
Daniel
----- Original Message -----
From: "Bill Pennington" <billp@boarder.org>
To: "Brian E" <brian_anon@hotmail.com>
Cc: <pen-test@securityfocus.com>
Sent: Wednesday, October 08, 2003 6:06 PM
Subject: Re: Web Application Penetration Testing Tools
> I think you are going to need to use a proxy based tool. Rewriting HTML
> and embedding it in more HTML like you have to do with browser based
> tools is extremely difficult. Javascript, Frames, Style sheets etc...
> can all mess with the rendering.
>
> Not to mention sites that do crazy things like having multiple <body>
> tags, yes I am working on a site that has that now...
>
> I posted a message a while back about proxy based tools on the
> Webappsec list. Tools to look at are Achilles, Webscarab/exodus, Spike
> proxy, and penproxy. There are a number of others.
>
> On Tuesday, October 7, 2003, at 06:24 PM, Brian E wrote:
>
> >
> >
> > When performing penetration testing of web applications I have used a
> > minibrowser from www.aignes.com for a very long time.
> >
> > This simple application allows me to browse a web application and
> > easily see links, form elements, cookies, a log of actual commands
> > being sent back and forth and more. The ability to manipulate cookies
> > and form elements makes it very useful.
> >
> > Unfortunately, it's support as a web browser is limited so I can't
> > test all web applications (such as embeded scripts and frames).
> >
> > Does anyone know of some other good tools for auditing web
> > applications with the ability to manipulate form data and cookies
> > before being sent to the server?
> >
> > Preferably, I'm looking for something based on Windows that is browser
> > based (as opposed to proxy based) but am still open to all platforms
> > and methods.
> >
> > -----------------------------------------------------------------------
> > ----
> > Tired of constantly searching the web for the latest exploits?
> > Tired of using 300 different tools to do one job?
> > Get CORE IMPACT and get some rest.
> > www.coresecurity.com/promos/sf_ept2
> > -----------------------------------------------------------------------
> > -----
> >
> >
>
> ---
> Bill Pennington, CISSP, CCNA
> Chief Technology Officer
> WhiteHat Security Inc.
> http://www.whitehatsec.com
>
>
> --------------------------------------------------------------------------
-
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> --------------------------------------------------------------------------
-- > > --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT