Penetration Testing mailing list archives
[PEN-TEST] Web Application Testing Tools
From: DigiZen Security Group <zen () digizen-security com>
Date: Fri, 13 Oct 2000 10:16:51 -0400
DigiZen Security Group www.digizen-security.com Initial Tool Release Name: Achilles v0.16.b Release Date: 10/13/2000 Application: Web Application Security Testing Platform: Windows Author: Roberto Cardona {dasquid () digizen-security com} Web: www.digizen-security.com Introduction "Web Application hacking is almost uncharted territory as far as vendor-security-products goes." --Yonatan Bokovza from PEN-TEST mailing list It was that thought that sparked the development of Achilles and prompted it's release to the security community. As more and more companies emerge on the Internet it is becoming a high priority to protect the information their customers trust them with. As one of those customers myself, I saw a need to find out just how protected my personal and finacial information was. So began the search for a tool to help me accomplish this task and when one could not be found I decided to write it myself. Here is the inital release of an application that can help administrators, auditors, Q&A testers, and anyone who is curious about how secure their information really is. Overview Achilles is a tool designed for testing the security of web applications. Achilles is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Achilles will intercept an HTTP session's data in either direction and give the user the ability to alter the data before transmission. For example, during a normal HTTP SSL connection a typical proxy will relay the session between the server and the client and allow the two end nodes to negotiate SSL. In contrast, when in intercept mode, Achilles will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server. As data is transmitted between the two nodes, Achilles decrypts the data and gives the user the ability to alter and/or log the data in clear text before transmission. Features Full Featured Desktop Proxy Server Intercepts bidirectional HTTP and SSL sessions Logs HTTP and SSL sessions in plain text Inserts data into an editor box allowing alteration Configurable Listening Port Configurable Timeout Values Recalculates Content-Length Fields after data modification Additional buffer space allows buffer overflow testing, up to a maximum of 10,000 bytes Conclusion Achilles is a freeware tool developed by Roberto Cardona, a member of DigiZen Security Group, and is available for download at http://www.digizen-security.com. This tool will be part of the following presentations by David Rhoades at the following conferences: Event : SANS Network Security 2000 Org. : SANS City : Monterey, CA URL : http://www.sans.org/NS2000.htm Title1 : TUE-2 How to Audit Web-Based Applications Date1 : 10/17/00 URL1 : http://www.sans.org/NS2000/tuesday.htm#TUE-2 ___________________________________ Event : Web2000 International Org. : CMP Media City : San Francisco, CA URL : http://www.web2000show.com/2000/west/ Title1 : Hack or Be Hacked - Testing your Web Application's Security Date1 : 11/1/00 URL1 : http://web2000.bluedot.com/cgi-web2000/Personal/speaker_front.veos?vcard_id= 13046 Title2 : Web Application Security Assessments: A Hacking Tutorial Date2 : 10/31/00 URL2 : http://web2000.bluedot.com/cgi-web2000/Personal/speaker_front.veos?vcard_id= 13046 ___________________________________ Event : Conference on PKI Interoperability Org. : MIS City : Atlanta, GA URL : http://www.misti.com/conference_show.asp?id=PKI Title1 : W3: Secure Web Applications Date1 : 12/7/00 URL1 : http://www.misti.com/conference_show.asp?id=PKI&type=workshop&workid=12%2F07
Current thread:
- Re: [PEN-TEST] Web application testing tools, (continued)
- Re: [PEN-TEST] Web application testing tools Chris Foster (Oct 11)
- Re: [PEN-TEST] Web application testing tools Loschiavo, Dave (Oct 10)
- Re: [PEN-TEST] Web application testing tools Jensenne Roculan (Oct 10)
- Re: [PEN-TEST] Web application testing tools Butters, Kevin (Oct 10)
- Re: [PEN-TEST] Web application testing tools Quinn Kroll (Oct 10)
- Re: [PEN-TEST] Web application testing tools John Yang (Oct 10)
- Re: [PEN-TEST] Web application testing tools Tim J Smith (Oct 11)
- Re: [PEN-TEST] Web application testing tools Curphey, Mark (ISS Atlanta) (Oct 11)
- Re: [PEN-TEST] Web application testing tools Yonatan Bokovza (Oct 11)
- Re: [PEN-TEST] Web application testing tools Bennett Todd (Oct 11)
- [PEN-TEST] Web Application Testing Tools DigiZen Security Group (Oct 13)
- Re: [PEN-TEST] Web Application Testing Tools Eric Lauzon (Oct 13)
- Re: [PEN-TEST] Web Application Testing Tools DigiZen Security Group (Oct 16)
- [PEN-TEST] Forensic analisys and related training Erick Arturo Perez Huemer (Oct 16)
- Re: [PEN-TEST] Forensic analisys and related training anindya (Oct 16)
- Re: [PEN-TEST] Forensic analisys and related training Jensenne Roculan (Oct 16)
- Re: [PEN-TEST] Web Application Testing Tools DigiZen Security Group (Oct 16)
- Re: [PEN-TEST] Web application testing tools sixth sense (Oct 19)