Penetration Testing mailing list archives

Re: [PEN-TEST] Web Application Testing Tools

From: DigiZen Security Group <zen () digizen-security com>
Date: Mon, 16 Oct 2000 02:09:44 -0400

I think you are misinterpreting the use of this tool.  It is not meant
to be a deceptive man-in-the-middle (MITM) attack.  The tool is designed
to be used for auditing web applications.  In order to audit the
application, the proxy does need to assume the role of MITM though.
Basically, the tool gives the user access to the data being sent (hidden
form elements, non-persistent cookies, etc.) to the web application after
any client side controls have been executed, e.g. client side java scripts,
for the purpose of injecting unexpected input into the web application via
an easy and intuitive interface.  Over the weekend we put together some
poorly written cgi scripts to demonstrate the concept of the tool. You can
go to http://www.digizen-security.com for an online, interactive
demo when you have time.

Regards,
DigiZen Security Group

----- Original Message -----
From: "Eric Lauzon" <elauzon () ITEMUS COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, October 13, 2000 12:37 PM
Subject: Re: [PEN-TEST] Web Application Testing Tools

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The tool is good for intercepting normal http..i mean the concept is
there but when u use your software over an ssl connection
the certificate you issue is kinda dumb..anybody who get the
untrusted certificate pop-up window should be allerted that somthing
is
wrong when it before it was working fine...i may understand that is
must be a Proof Of Concept code but still the certificated issued by
the MITM proxy should be tunned.

Eric Lauzon
Itemus Solution


                                           DigiZen Security Group
                                         www.digizen-security.com
                                              Initial Tool Release

Name: Achilles v0.16.b
Release Date: 10/13/2000
Application: Web Application Security Testing
Platform: Windows


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOec42qIpv/xAG6RUEQIvsACgszeyyEr71AEN0pg9pGJFmmVvWycAnR4l
CpdMMOFlGhEonVLblvJpHpMm
=/P/W
-----END PGP SIGNATURE-----

Current thread:

Re: [PEN-TEST] Web application testing tools, (continued)
- - Re: [PEN-TEST] Web application testing tools Jensenne Roculan (Oct 10)
- Re: [PEN-TEST] Web application testing tools Butters, Kevin (Oct 10)
- Re: [PEN-TEST] Web application testing tools Quinn Kroll (Oct 10)
- Re: [PEN-TEST] Web application testing tools John Yang (Oct 10)
- Re: [PEN-TEST] Web application testing tools Tim J Smith (Oct 11)
- Re: [PEN-TEST] Web application testing tools Curphey, Mark (ISS Atlanta) (Oct 11)
- Re: [PEN-TEST] Web application testing tools Yonatan Bokovza (Oct 11)
  - Re: [PEN-TEST] Web application testing tools Bennett Todd (Oct 11)
- [PEN-TEST] Web Application Testing Tools DigiZen Security Group (Oct 13)
- Re: [PEN-TEST] Web Application Testing Tools Eric Lauzon (Oct 13)
  - Re: [PEN-TEST] Web Application Testing Tools DigiZen Security Group (Oct 16)
    - [PEN-TEST] Forensic analisys and related training Erick Arturo Perez Huemer (Oct 16)
    - Re: [PEN-TEST] Forensic analisys and related training anindya (Oct 16)
    - Re: [PEN-TEST] Forensic analisys and related training Jensenne Roculan (Oct 16)
- Re: [PEN-TEST] Web application testing tools sixth sense (Oct 19)