New freeware tools available from WebCohort

From: Eyal Udassin (
Date: 02/13/03

  • Next message: Martin Schulze: "[SECURITY] [DSA 250-1] New w3mmee-ssl packages fix cookie information leak"
    From: "Eyal Udassin" <>
    To: <>, <>, <>
    Date: Thu, 13 Feb 2003 16:52:35 +0200

    The following tools are available at for free

    ITR (Interactive TCP Relay)
    This tool provides a security-testing environment for non-HTTP
    Client/Server applications, similar to that provided by interactive HTTP
    When started, ITR operates as a simple TCP tunnel, listening on a
    specific port, and forwarding all the traffic to the remote host and
    port. By configuring the client to treat the ITR as its server, all
    traffic between a client and a server can be tunneled and logged. The
    true power of ITR, however, lies in its ability to intercept and edit
    the traffic passing through it. When invoking intercept mode, the ITR
    stops every message sent through it (client to server and/or server to
    client). The traffic can then be edited freely, providing a comfortable
    environment for testing Client/Server applications. The editing of
    messages is performed using a built-in comfortable HEXA Editor. To
    provide support and compatibility for various systems, the ITR can
    operate both its logs and HEXA editor using different types of character
    encodings, such as ASCII or EBCDIC.

    BOU (Buffer Overflow Utility)
    BOU is a command-line utility that enables the user to check for buffer
    overflows on Web Server Applications. Written in Java, BOU quickly
    uncovers suspected buffer overflow problems in HTTP requests, and
    supports both the GET and POST methods.

    Mapper helps you map the files, file parameters and values of any site
    you wish to test. Simply browse the site as a normal user while
    recording your session with Achilles (Mapper supports other proxies as
    well), and run Mapper on the resulting log file. Mapper will create an
    Excel CSV file that will allow you to study the directory and file
    structure of the site, the parameter names of every dynamic page
    encountered (such as ASP/JSP/CGI), and their values for every time you
    requested them. This tool helps you to quickly locate design errors and
    parameters that may be prone to SQL Injection or parameter tampering
    problems. Mapper also supports non-standard parameter delimiters and
    MVC-based web sites.

    Eyal Udassin
    Application Security Consultant
    WebCohort Ltd.

    Relevant Pages

    • New freeware tools available from WebCohort
      ... ITR ... traffic between a client and a server can be tunneled and logged. ... Mapper helps you map the files, file parameters and values of any site ...
    • Re: What doesnt lend itself to OO?
      ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    • Re: More Get-IPlayer Questions
      ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
    • This is going straight to the pool room
      ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
      ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...