Penetration Testing mailing list archives
Re: [PEN-TEST] Web Application Testing Tools
From: DigiZen Security Group <zen () digizen-security com>
Date: Mon, 16 Oct 2000 02:09:44 -0400
I think you are misinterpreting the use of this tool. It is not meant to be a deceptive man-in-the-middle (MITM) attack. The tool is designed to be used for auditing web applications. In order to audit the application, the proxy does need to assume the role of MITM though. Basically, the tool gives the user access to the data being sent (hidden form elements, non-persistent cookies, etc.) to the web application after any client side controls have been executed, e.g. client side java scripts, for the purpose of injecting unexpected input into the web application via an easy and intuitive interface. Over the weekend we put together some poorly written cgi scripts to demonstrate the concept of the tool. You can go to http://www.digizen-security.com for an online, interactive demo when you have time. Regards, DigiZen Security Group ----- Original Message ----- From: "Eric Lauzon" <elauzon () ITEMUS COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Friday, October 13, 2000 12:37 PM Subject: Re: [PEN-TEST] Web Application Testing Tools
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The tool is good for intercepting normal http..i mean the concept is there but when u use your software over an ssl connection the certificate you issue is kinda dumb..anybody who get the untrusted certificate pop-up window should be allerted that somthing is wrong when it before it was working fine...i may understand that is must be a Proof Of Concept code but still the certificated issued by the MITM proxy should be tunned. Eric Lauzon Itemus SolutionDigiZen Security Group www.digizen-security.com Initial Tool ReleaseName: Achilles v0.16.b Release Date: 10/13/2000 Application: Web Application Security Testing Platform: Windows-----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOec42qIpv/xAG6RUEQIvsACgszeyyEr71AEN0pg9pGJFmmVvWycAnR4l CpdMMOFlGhEonVLblvJpHpMm =/P/W -----END PGP SIGNATURE-----
Current thread:
- Re: [PEN-TEST] Web application testing tools, (continued)
- Re: [PEN-TEST] Web application testing tools Jensenne Roculan (Oct 10)
- Re: [PEN-TEST] Web application testing tools Butters, Kevin (Oct 10)
- Re: [PEN-TEST] Web application testing tools Quinn Kroll (Oct 10)
- Re: [PEN-TEST] Web application testing tools John Yang (Oct 10)
- Re: [PEN-TEST] Web application testing tools Tim J Smith (Oct 11)
- Re: [PEN-TEST] Web application testing tools Curphey, Mark (ISS Atlanta) (Oct 11)
- Re: [PEN-TEST] Web application testing tools Yonatan Bokovza (Oct 11)
- Re: [PEN-TEST] Web application testing tools Bennett Todd (Oct 11)
- [PEN-TEST] Web Application Testing Tools DigiZen Security Group (Oct 13)
- Re: [PEN-TEST] Web Application Testing Tools Eric Lauzon (Oct 13)
- Re: [PEN-TEST] Web Application Testing Tools DigiZen Security Group (Oct 16)
- [PEN-TEST] Forensic analisys and related training Erick Arturo Perez Huemer (Oct 16)
- Re: [PEN-TEST] Forensic analisys and related training anindya (Oct 16)
- Re: [PEN-TEST] Forensic analisys and related training Jensenne Roculan (Oct 16)
- Re: [PEN-TEST] Web Application Testing Tools DigiZen Security Group (Oct 16)
- Re: [PEN-TEST] Web application testing tools sixth sense (Oct 19)