Penetration Testing mailing list archives
[PEN-TEST] HTTPush - a web server/application audit helper
From: Lluis Mora <llmora () S21SEC COM>
Date: Tue, 27 Mar 2001 20:08:14 +0200
Hi all, Lately I've been working on a tool that will help (or at least try to) when auditing HTTP applications by showing the user exactly what is being sent to the remote host and allowing the real-time modification of that data (headers, cookies, method, protocol, post data, etc.) before it's actually sent to the server. This tool, HTTPush, works as a HTTP/HTTPS proxy server and intercepts all the requests sent from the client to the server, optionally recording them to file for analysis. Some of its features are: - On the fly HTTP request review and modification - Lynx, Internet Explorer and Netscape proxy support - HTTPS support (through OpenSSL, http://www.openssl.org) - Sticky headers and cookies - Session recording and reviewing It's not a CGI vulnerability scanner, but a helper for manually conducted application audits. At the moment the analysis is performed by the user, and HTTPush is just a nice interface to HTTP, but support for automated "common" vulnerability checking is being worked on, such as checking for cross-site scripting vulnerabilities, ../ checks, shell metacharacters embedded in a request, etc. Anyway, I think it's a nice tool that eases discovering new vulnerabilities in HTTP applications and servers, a good replacement for tcpdump + nc or HTML source form fields tracing, and nowadays when nearly everyone's got a website with custom applications it's a good place to look for when doing a pen-test. It's free, and you can get the latest version (v0.9b8) from: http://www.s21sec.com/download/httpush-current.tar.gz It's written in perl, so it should work on any platform perl runs on, though it's only been tested under Linux. Cheers, Lluis Mora llmora () s21sec com S21SEC
Current thread:
- [PEN-TEST] HTTPush - a web server/application audit helper Lluis Mora (Mar 27)