[PEN-TEST] HTTPush - a web server/application audit helper

[Lluis Mora <llmora () S21SEC COM>]

Hi all,

Lately I've been working on a tool that will help (or at least try to) when
auditing HTTP applications by showing the user exactly what is being sent to
the remote host and allowing the real-time modification of that data
(headers, cookies, method, protocol, post data, etc.) before it's actually
sent to the server.

This tool, HTTPush, works as a HTTP/HTTPS proxy server and intercepts all
the requests sent from the client to the server, optionally recording them
to file for analysis.

Some of its features are:

- On the fly HTTP request review and modification
- Lynx, Internet Explorer and Netscape proxy support
- HTTPS support (through OpenSSL, http://www.openssl.org)
- Sticky headers and cookies
- Session recording and reviewing

It's not a CGI vulnerability scanner, but a helper for manually conducted
application audits.

At the moment the analysis is performed by the user, and HTTPush is just a
nice interface to HTTP, but support for automated "common" vulnerability
checking is being worked on, such as checking for cross-site scripting
vulnerabilities, ../ checks, shell metacharacters embedded in a request,
etc.

Anyway, I think it's a nice tool that eases discovering new vulnerabilities
in HTTP applications and servers, a good replacement for tcpdump + nc or
HTML source form fields tracing, and nowadays when nearly everyone's got a
website with custom applications it's a good place to look for when doing a
pen-test.

It's free, and you can get the latest version (v0.9b8) from:

  http://www.s21sec.com/download/httpush-current.tar.gz

It's written in perl, so it should work on any platform perl runs on, though
it's only been tested under Linux.

Cheers,

Lluis Mora      llmora () s21sec com
S21SEC