Penetration Testing mailing list archives
RE: Web Application Penetration Testing Tools
From: "Faiz Ahmad Shuja" <faiz () honeynet org pk>
Date: Sun, 12 Oct 2003 03:15:04 +0500
Try Achilles, A Windows web attack proxy - http://achilles.mavensecurity.com/ "Achilles is a tool designed for testing the security of web applications. Achilles is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Achilles will intercept an HTTP session's data in either direction and give the user the ability to alter the data before transmission. For example, during a normal HTTP SSL connection a typical proxy will relay the session between the server and the client and allow the two end nodes to negotiate SSL. In contrast, when in intercept mode, Achilles will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server. As data is transmitted between the two nodes, Achilles decrypts the data and gives the user the ability to alter and/or log the data in clear text before transmission." Regards, Faiz -----Original Message----- From: Brian E [mailto:brian_anon () hotmail com] Sent: Wednesday, October 08, 2003 6:25 AM To: pen-test () securityfocus com Subject: Web Application Penetration Testing Tools When performing penetration testing of web applications I have used a minibrowser from www.aignes.com for a very long time. This simple application allows me to browse a web application and easily see links, form elements, cookies, a log of actual commands being sent back and forth and more. The ability to manipulate cookies and form elements makes it very useful. Unfortunately, it's support as a web browser is limited so I can't test all web applications (such as embeded scripts and frames). Does anyone know of some other good tools for auditing web applications with the ability to manipulate form data and cookies before being sent to the server? Preferably, I'm looking for something based on Windows that is browser based (as opposed to proxy based) but am still open to all platforms and methods. ------------------------------------------------------------------------ --- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- Web Application Penetration Testing Tools Brian E (Oct 08)
- Re: Web Application Penetration Testing Tools Bill Pennington (Oct 08)
- Re: Web Application Penetration Testing Tools Martin Eiszner (Oct 08)
- Re: Web Application Penetration Testing Tools Daniel Nylander (Oct 08)
- Re: Web Application Penetration Testing Tools Alexandre Hautequest (Oct 08)
- Re: Web Application Penetration Testing Tools pak (Oct 08)
- Re: Web Application Penetration Testing Tools Philipp Buehler (Oct 09)
- Re: Web Application Penetration Testing Tools Cesar (Oct 09)
- RE: Web Application Penetration Testing Tools Faiz Ahmad Shuja (Oct 12)
- <Possible follow-ups>
- RE: Web Application Penetration Testing Tools Elsner, Donald, ALABS (Oct 08)
- RE: Web Application Penetration Testing Tools Gary Everekyan (Oct 08)
- RE: Web Application Penetration Testing Tools GMHoward (Oct 08)
- RE: Web Application Penetration Testing Tools Perrymon, Josh L. (Oct 09)
- RE: Web Application Penetration Testing Tools Christophe, Pascal (Oct 09)
- Re: Web Application Penetration Testing Tools balinsky (Oct 10)
- RE: Web Application Penetration Testing Tools Dawes, Rogan (ZA - Johannesburg) (Oct 13)
- Re: Web Application Penetration Testing Tools Smaxdot (Oct 13)
- Re: Web Application Penetration Testing Tools Robert J. Brown (Oct 13)
- Re: Web Application Penetration Testing Tools Bill Pennington (Oct 08)