Re: Web site testing

From: Dan Goldberg (dan_at_madjic.net)
Date: 04/23/04

  • Next message: Jerry Shenk: "RE: Web site testing" 
    To: "Jerry Shenk" <jshenk@decommunications.com>, <pen-test@securityfocus.com>
Date: Fri, 23 Apr 2004 12:34:48 -0400

    > What are some good web server auditing tools.

    Two tools for working with predictable SessionIDs are OWASP's
    WebScarab (java based) which is a web audit toolkit including an
    interception proxiy, a sitelogger, and a session editor among other
    things. This will allow you to play with any header or the sessionID.
    Another tool that may be useful (though I have not used much yet) is
    an add-on to the Mozilla Firefox browser called MagPie tools. It is
    downloaded from the firefox plug-in page. It can increment and
    decrement digits in the URL (if that is where the session ID is held)
    and some other tricks, YMMV.

    There is also Achilles another interception proxy toolkit. Similar to
    WebScarab but not Java based. It is also a little more stable that
    webscarab which has been updated since I last used it extensively

    I hope this helps some 

    -- 
dan@madjic.net
-- 
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
  • Next message: Jerry Shenk: "RE: Web site testing"

    Relevant Pages

    • New version of WebScarab released
      ... I have made a new release of WebScarab available on Sourceforge, to celebrate it being placed in position 35 of Fyodor's annual-ish pen testing tools survey. ... A related change is a hidden option to discard any conversations where the URL matches a user-supplied regular expression. ... This was important, because parsing malformed HTML might result in corruption of the user's session, preventing later reloading of the session. ... SessionID Plugin: ...
      (Pen-Test)
    • RE: Web site testing
      ... decrement digits in the URL (if that is where the session ID is held) ... WebScarab but not Java based. ... to facilitate one-on-one interaction with one of our expert instructors. ... pen testing experience in our state of the art hacking lab. ...
      (Pen-Test)
    • Re: Apache vs IIS
      ... Apache/PHP allows you to set session cookies for a whole site, or part of a site if so wanted. ... As I understand to do this in PHP you have to store the values in SESSION cockies then check the SESSION array to see if the value was stored or not. ... But in general ASP.NET is microsoft response to Java. ... Java scripts my self. ...
      (alt.php)
    • Re: Is OOP really appropriate for PHP?
      ... using C++ or Java, all my objects reside in RAM. ... PHP as long as the current thread is being executed. ... session is deferred). ...
      (comp.lang.php)
    • Re: How to use sendmail in Java?
      ... Session session = Session.getInstance; ... Java Developer ... send failed, exception: javax.mail.SendFailedException: Sending ... I did a ps -fea and I see that sendmail is running and accepting ...
      (comp.lang.java.programmer)