[PEN-TEST] Web Application Testing Tools

[DigiZen Security Group <zen () digizen-security com>]

                                            DigiZen Security Group
                                          www.digizen-security.com
                                               Initial Tool Release

Name: Achilles v0.16.b
Release Date: 10/13/2000
Application: Web Application Security Testing
Platform: Windows
Author: Roberto Cardona {dasquid () digizen-security com}
Web: www.digizen-security.com

Introduction

"Web Application hacking is almost uncharted territory as far as
vendor-security-products goes."
                   --Yonatan Bokovza from PEN-TEST mailing list

It was that thought that sparked the development of Achilles and prompted
it's release
to the security community.  As more and more companies emerge on the
Internet it is
becoming a high priority to protect the information their customers trust
them with.
As one of those customers myself, I saw a need to find out just how
protected my
personal and finacial information was.  So began the search for a tool to
help me
accomplish this task and when one could not be found I decided to write it
myself.
Here is the inital release of an application that can help administrators,
auditors,
Q&A testers, and anyone who is curious about how secure their information
really is.

Overview

Achilles is a tool designed for testing the security of web applications.
Achilles is a
proxy server, which acts as a man-in-the-middle during an HTTP session.  A
typical HTTP
proxy will relay packets to and from a client browser and a web server.
Achilles will
intercept an HTTP session's data in either direction and give the user the
ability to
alter the data before transmission.  For example, during a normal HTTP SSL
connection a
typical proxy will relay the session between the server and the client and
allow the
two end nodes to negotiate SSL.  In contrast, when in intercept mode,
Achilles will
pretend to be the server and negotiate two SSL sessions, one with the client
browser
and another with the web server. As data is transmitted between the two
nodes, Achilles
decrypts the data and gives the user the ability to alter and/or log the
data in clear
text before transmission.

Features

Full Featured Desktop Proxy Server
Intercepts bidirectional HTTP and SSL sessions
Logs HTTP and SSL sessions in plain text
Inserts data into an editor box allowing alteration
Configurable Listening Port
Configurable Timeout Values
Recalculates Content-Length Fields after data modification
Additional buffer space allows buffer overflow testing, up to a maximum of
10,000 bytes

Conclusion

Achilles is a freeware tool developed by Roberto Cardona, a member of
DigiZen Security
Group, and is available for download at http://www.digizen-security.com.

This tool will be part of the following presentations by David Rhoades at
the following
conferences:

Event  : SANS Network Security 2000
Org.   : SANS
City   : Monterey, CA
URL    : http://www.sans.org/NS2000.htm

Title1 : TUE-2 How to Audit Web-Based Applications
Date1  : 10/17/00
URL1   : http://www.sans.org/NS2000/tuesday.htm#TUE-2
___________________________________

Event  : Web2000 International
Org.   : CMP Media
City   : San Francisco, CA
URL    : http://www.web2000show.com/2000/west/

Title1 : Hack or Be Hacked - Testing your Web Application's Security
Date1  : 11/1/00
URL1   :
http://web2000.bluedot.com/cgi-web2000/Personal/speaker_front.veos?vcard_id=
13046

Title2 : Web Application Security Assessments: A Hacking Tutorial
Date2  : 10/31/00
URL2   :
http://web2000.bluedot.com/cgi-web2000/Personal/speaker_front.veos?vcard_id=
13046

___________________________________

Event  : Conference on PKI Interoperability
Org.   : MIS
City   : Atlanta, GA
URL    : http://www.misti.com/conference_show.asp?id=PKI
Title1 : W3: Secure Web Applications
Date1  : 12/7/00
URL1   :
http://www.misti.com/conference_show.asp?id=PKI&type=workshop&workid=12%2F07