I was doing an inventory of all of the tools I currently have on my systems that are outside of a standard build (this is business unit requirement for me) and man do I have alot of stuff! So I decided, (in addition to the suggestion from other readers) to include a list of all of the tools I currently use, where you can get them and what I think of them. This list will be specifically web application vulnerability related as that is really my forte and what I am most interested in currently. There may be a few network tools but they will in some way be related to web app security. And this will be a list not of commercially known tools but tools I have amassed from readings, industry events and searches. I will categorize them and dedicate whole postings to a single tool group as the list is long and the postings will be to large to search through. This may take a bit of time and if broken down a bit will be easier to manage for all of us. So here goes we will start with Intercepting Proxies:Intercept Proxies - An intercept proxy is a tool which combines a proxy server (the server in this case is the application not a physical server) with a gateway. It sits between your browser and your internet connection. Connections made by client browsers are redirected through the proxy with/without client-side configuration allowing the transmission of the request/response to be altered, usually in a way NOT intended by the developer/protocol. This is by far the most valuable tool you will use in your web application vulnerability assessments/attacks. If you have never used this tool imagine you have total control of time; the time between the submission from your browser to the receiving server and from the receiving server back to your browser. This completely opens up the apps for intense inspection and manipulation. Here is my list of Intercept Proxies:
1. Fiddler 2 - http://www.fiddler2.com/fiddler2/ - I found this one by accident in searching for an addon to Internet Explorer as that is the only browser allowed in my professional environment. I use this one all the time as it requires no connection configuration, it is really easy to use and has a bunch of great addons. This is really a developer tool for web code debugging, as really they all are, but works great as a tool of mischief but only for Internet Explorer... It has some really good tutorials online as well.
2. Burpe Suite 1.01 - http://www.portswigger.net/ - This is really the BEST of the best in it's category. It was written by Dafydd Stuttard, the author of "The Web Application Hacker's Handbook - Discovering and Exploiting Security Flaws (ISBN 978-0-470-17077-9 Wiley)" which is the defacto standard in web app security exploits so it makes sense that it would be a great tool. It is full featured but does require configuration (as do the rest of the tools listed) to be used properly.
3. Webscarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project - Taken from the OWASP site: "...WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab..." Enough said... it also has a good spider... this is a good one too!
Paros - www.parosproxy.org/ - I really like Paros because it has a great spider tool as well as the proxy. This spider is great for finding all directories/files on a web server, which in turn is great to use in combination with very specific Google search strings to find all kinds of data leakage. But always remember that spiders make noise, usually alot of noise so be carefull who you unload it on as they will hear/see you, which is why Google is such a valuable tool, but that is for another posting altogether.
Summary:
This are the Interpect Proxies I use, there may be more out there but these are the tools I know and use daily for fun and for security engagements.
2 comments:
Hi,
I am working on a class project that will assess the web-application for vulnerabilities and fix them.
I am planning to use tools like HACme Bank which has lots of vulnerabilities. To assess those vulnerabilities I want to use either WebScarab or Paros. I am confused as to which one should I use.
Please let me know your view on this.
My email is : namrata.ghadi@gmail.com
Thanks.
-NAM
NAM,
Sorry I wasn't able to get back to you in a reasonable time but I would be interested in hearing about your project.
-Garot
Post a Comment