Re: Scanning Web Proxy -- Preliminary Concept

["Sahlberg, Jeremiah" <JJDS () PARA-PROTECT COM>]

Have you looked a achilles. http://www.digizen-security.com/downloads.html

You run achilles locally on you system and set your web client to proxy
through it.  It will allow you to capture all of the data getting passed
from the web client to the web server, plus it allow you to edit the web
requests.  I do not know if this is what you are looking for but it worth a
mention.

Cheers,

J

-----Original Message-----
From: Philip Stoev [mailto:philip () STOEV ORG]
Sent: Thursday, December 14, 2000 4:34 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Scanning Web Proxy -- Preliminary Concept


Hello,

I am not certain if this is the proper list to post to, however I would like
to bring about to your attention an idea of mine (no code yet). Any
feedback, including yells like "We already did something like that!" are
highly appreciated.

http://www.stoev.org/proxy/preliminary-concept.html

The purpose of the proposed scanning web proxy is to analyze all HTTP
request-reply pairs that pass through it for the purpose of finding security
vulnerabilities in the web sites being visited (i.e. weak cookies,
plain-text passwords stored in hidden form fields, etc.), using the browsing
human user as a vehicle allowing the scanner to peek into the internals of
the web site (such as the portions of the site that are behind the log-in
page).

Please note that the proposed software is not meant to find vulnerabilities
in its clients, nor it is meant to protect its clients from Trojans/viruses,
or whatever.

Again, any feedback is highly appreciated, even if flames. Please forward
this announcements to other people or groups you may consider relevant.

Sincerely,

Philip Stoev