WebApp Sec mailing list archives
WMAT - Web Mail Auth Tool
From: "Ivan Markovic" <ivanm () security-net biz>
Date: Wed, 18 Feb 2009 23:05:22 +0100
Hello everyone, After successful project DFF Scanner (http://www.owasp.org/index.php/Phoenix/Tools) I'm happy to introduce a new tool from NSS (http://netsec.rs) WMAT. WMAT is Web Mail Auth Tool that provide some essential functions for testing web mail logins, written in python with support of pyCurl. How it works ? It is very simple, You give WMAT file with usernames, file with passwords, URL of web mail app and chose pattern for attack. Patterns are XML files that define post/get fields, http method, referer, success tag, etc ... for each web mail applications. For now I have patterns for horde, squirrelmail, kerio and mdaemon web mail. XML files are like this: --- horde.wmat.xml --- <?xml version='1.0' encoding='UTF-8'?> <data> <username>horde_user</username> <password>horde_pass</password> <action_url>login.php</action_url> <success>sidebar.php</success> <method>post</method> <useragent></useragent> <referer></referer> <additional_fields></additional_fields> <author>ivan.markovic () netsec rs</author> </data> ----------------------- I need some help from community for this patterns. In each pattern I expect author field as sign of gratitude. There are some more options like setting timeout (time between each request), bell on success and option for writing output in file. Readme file is here: http://security-net.biz/wmat/readme.txt This is first version and I plan to implement more options like: - using a proxy - special addon for generation of usernames/passwords - automatic recognizer of web app - ... You can download WMAT from this URL: http://security-net.biz/wmat/wmat.zip or see wmat.py here: http://security-net.biz/wmat/wmat.py.txt Please give some comments, ideas/requests, bug reports, ... Thanks, Ivan Markovic Network Security Solutions
Current thread:
- WMAT - Web Mail Auth Tool Ivan Markovic (Feb 19)