RE: Web Application Penetration Testing Tools

From: Faiz Ahmad Shuja (faiz@honeynet.org.pk)
Date: Sat Oct 11 2003 - 18:15:04 EDT

Try Achilles, A Windows web attack proxy -
http://achilles.mavensecurity.com/

"Achilles is a tool designed for testing the security of web
applications. Achilles is a proxy server, which acts as a
man-in-the-middle during an HTTP session. A typical HTTP proxy will
relay packets to and from a client browser and a web server. Achilles
will intercept an HTTP session's data in either direction and give the
user the ability to alter the data before transmission. For example,
during a normal HTTP SSL connection a typical proxy will relay the
session between the server and the client and allow the two end nodes to
negotiate SSL. In contrast, when in intercept mode, Achilles will
pretend to be the server and negotiate two SSL sessions, one with the
client browser and another with the web server. As data is transmitted
between the two nodes, Achilles decrypts the data and gives the user the
ability to alter and/or log the data in clear text before transmission."

Regards,
Faiz

-----Original Message-----
From: Brian E [mailto:brian_anon@hotmail.com]
Sent: Wednesday, October 08, 2003 6:25 AM
To: pen-test@securityfocus.com
Subject: Web Application Penetration Testing Tools

When performing penetration testing of web applications I have used a
minibrowser from www.aignes.com for a very long time.

This simple application allows me to browse a web application and easily
see links, form elements, cookies, a log of actual commands being sent
back and forth and more. The ability to manipulate cookies and form
elements makes it very useful.

Unfortunately, it's support as a web browser is limited so I can't test
all web applications (such as embeded scripts and frames).

Does anyone know of some other good tools for auditing web applications
with the ability to manipulate form data and cookies before being sent
to the server?

Preferably, I'm looking for something based on Windows that is browser
based (as opposed to proxy based) but am still open to all platforms and
methods.

------------------------------------------------------------------------ 

---
Tired of constantly searching the web for the latest exploits? Tired of
using 300 different tools to do one job? Get CORE IMPACT and get some
rest. www.coresecurity.com/promos/sf_ept2
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT