RE: Web Application Penetration Testing Tools

From: Faiz Ahmad Shuja (faiz_at_honeynet.org.pk)
Date: 10/12/03

  • Next message: appsec_at_technicalinfo.net: "Application Security Assessment Methods"
    To: "'Brian E'" <brian_anon@hotmail.com>, <pen-test@securityfocus.com>
    Date: Sun, 12 Oct 2003 03:15:04 +0500
    
    

    Try Achilles, A Windows web attack proxy -
    http://achilles.mavensecurity.com/

    "Achilles is a tool designed for testing the security of web
    applications. Achilles is a proxy server, which acts as a
    man-in-the-middle during an HTTP session. A typical HTTP proxy will
    relay packets to and from a client browser and a web server. Achilles
    will intercept an HTTP session's data in either direction and give the
    user the ability to alter the data before transmission. For example,
    during a normal HTTP SSL connection a typical proxy will relay the
    session between the server and the client and allow the two end nodes to
    negotiate SSL. In contrast, when in intercept mode, Achilles will
    pretend to be the server and negotiate two SSL sessions, one with the
    client browser and another with the web server. As data is transmitted
    between the two nodes, Achilles decrypts the data and gives the user the
    ability to alter and/or log the data in clear text before transmission."

    Regards,
    Faiz

    -----Original Message-----
    From: Brian E [mailto:brian_anon@hotmail.com]
    Sent: Wednesday, October 08, 2003 6:25 AM
    To: pen-test@securityfocus.com
    Subject: Web Application Penetration Testing Tools

    When performing penetration testing of web applications I have used a
    minibrowser from www.aignes.com for a very long time.

    This simple application allows me to browse a web application and easily
    see links, form elements, cookies, a log of actual commands being sent
    back and forth and more. The ability to manipulate cookies and form
    elements makes it very useful.

    Unfortunately, it's support as a web browser is limited so I can't test
    all web applications (such as embeded scripts and frames).

    Does anyone know of some other good tools for auditing web applications
    with the ability to manipulate form data and cookies before being sent
    to the server?

    Preferably, I'm looking for something based on Windows that is browser
    based (as opposed to proxy based) but am still open to all platforms and
    methods.

    ------------------------------------------------------------------------

    ---
    Tired of constantly searching the web for the latest exploits? Tired of
    using 300 different tools to do one job? Get CORE IMPACT and get some
    rest. www.coresecurity.com/promos/sf_ept2
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Tired of constantly searching the web for the latest exploits?
    Tired of using 300 different tools to do one job?
    Get CORE IMPACT and get some rest.
    www.coresecurity.com/promos/sf_ept2
    ----------------------------------------------------------------------------
    

  • Next message: appsec_at_technicalinfo.net: "Application Security Assessment Methods"

    Relevant Pages

    • Re: ISA Server Problems, please help
      ... Based on the rules you have listed, SecureNAT clients should only be allowed ... The All access rule for SBS Internet Users ... Web Proxy and/or Firewall Client ... > header to the publishing server instead of the actual one. ...
      (microsoft.public.windows.server.sbs)
    • RE: Simple ISA 2004 questions
      ... You'd better create a new GPO for IE proxy, ... Run "gpmc.msc" in SBS server, ... ISA Server 2004 Query can give you some help. ... In the Microsoft Internet Security and Acceleration Server 2004 console, ...
      (microsoft.public.windows.server.sbs)
    • Re: 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED bei 2 Servern von 6
      ... Ich habe mir nun auf einem Server, der sich bei MS Updateservices bedienen konnte, WSUS installiert. ... Log Time Client IP Destination IP Destination Port Protocol Action Rule Client Username Source Network Destination Network HTTP Method URL Error Information HTTP Status Code Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy ... Connection Unrestricted Internet access anonymous Internal External HEAD ...
      (microsoft.public.de.german.isaserver)
    • Re: Trend Micro and Proxy Server
      ... Access is from server console. ... ' under the Advanced proxy setting makes a difference. ... just turn off the proxy in the server's IE settings. ... Les Connor [SBS Community Member - SBS MVP] ...
      (microsoft.public.windows.server.sbs)
    • Re: ISA 2004 & companyweb
      ... Server, the traffic will still be handled by the ISA Server because the ... "Bypass proxy server for local addresses" option is disabled, ...
      (microsoft.public.windows.server.sbs)