Re: Web Application Penetration Testing Tools

["Daniel Nylander" <mail-lists () lidkoping net>]

I used to work with performance testing of large webapplications such as
Internetbanks etc..
We used our self-developed tools called PureLoad. PureLoad is a load
generator written entirely in Java.
PureLoad has a built-in proxy which records all traffic and all variables
sent in and out of a webapplication.
It gives you a (almost) complete overview of the traffic between browser and
webserver (even HTTPS).
Download and test for your self.. there should be a 30-day evaluation
version
http://www.pureload.com/

Cheers,
Daniel


----- Original Message ----- 
From: "Bill Pennington" <billp () boarder org>
To: "Brian E" <brian_anon () hotmail com>
Cc: <pen-test () securityfocus com>
Sent: Wednesday, October 08, 2003 6:06 PM
Subject: Re: Web Application Penetration Testing Tools


> I think you are going to need to use a proxy based tool. Rewriting HTML
> and embedding it in more HTML like you have to do with browser based
> tools is extremely difficult. Javascript, Frames, Style sheets etc...
> can all mess with the rendering.
>
> Not to mention sites that do crazy things like having multiple <body>
> tags, yes I am working on a site that has that now...
>
> I posted a message a while back about proxy based tools on the
> Webappsec list. Tools to look at are Achilles, Webscarab/exodus, Spike
> proxy, and penproxy. There are a number of others.
>
> On Tuesday, October 7, 2003, at 06:24 PM, Brian E wrote:
>
> > When performing penetration testing of web applications I have used a
> > minibrowser from www.aignes.com for a very long time.
> >
> > This simple application allows me to browse a web application and
> > easily see links, form elements, cookies, a log of actual commands
> > being sent back and forth and more. The ability to manipulate cookies
> > and form elements makes it very useful.
> >
> > Unfortunately, it's support as a web browser is limited so I can't
> > test all web applications (such as embeded scripts and frames).
> >
> > Does anyone know of some other good tools for auditing web
> > applications with the ability to manipulate form data and cookies
> > before being sent to the server?
> >
> > Preferably, I'm looking for something based on Windows that is browser
> > based (as opposed to proxy based) but am still open to all platforms
> > and methods.
> >
> > ----------------------------------------------------------------------- 
> > ----
> > Tired of constantly searching the web for the latest exploits?
> > Tired of using 300 different tools to do one job?
> > Get CORE IMPACT and get some rest.
> > www.coresecurity.com/promos/sf_ept2
> > ----------------------------------------------------------------------- 
> > -----
>
> ---
> Bill Pennington, CISSP, CCNA
> Chief Technology Officer
> WhiteHat Security Inc.
> http://www.whitehatsec.com
>
>
> --------------------------------------------------------------------------
-
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------