Penetration Testing mailing list archives

RE: Web Application Testers.

From: Ockens Thomas <Thomas.Ockens () med siemens de>
Date: Tue, 25 Sep 2001 14:49:09 +0200

(note - I've taken vuln-dev out of the CC-list, as this seems just the
tiniest bit more suitable for pen-testers)

FYI, AppScan breaks/subverts web applications -  there are 
plenty of tools
to break web servers (apache/IIS), but it looks like appscan 
is on it's own
on the test-the-bespoke-web-app front.


I'm not a hundred percent sure if hailstorm has been considered, but have a
look, or take an evaluation copy for a test drive at
http://www.clicktosecure.com/products/index.html

also, HSCs babelweb can possibly used for subverting web applications - the
least it does is a good deal of enumeration: 
(from the web site)

        "Babelweb is a program which allows to automate tests on a HTTP
server. It is able to follow the links and the HTTP redirect but it is
programmed to remain on the original server. 
The main goal of babelweb is to obtain informations about a remote web
server and to sort these informations. It is thus possible to draw up the
list of the accessible pages, the cgi scripts met, the various files found
like .zip, .pdf..."
..get it from here: http://www.hsc.fr/ressources/outils/babelweb/


As additional ideas, you may want to look into tools such as RFProxy[1],
Achilles[2] or subweb[3] when breaking web apps; I found Achilles invaluable
when needing on-the-fly substitution of authentication cookies for a web
board, which in a fashion was a bit like breaking it.

As 'web apps' seems to be pretty huge a field, breaking them might involve
low-level stuff such as a spoofed IP, referrer or somesuch, or SQL
injection, overly long input in forms, exploitation of site-design specific
bugs (is the interface plain html w/ cgi?  is it PHP?  is the PHP possibly
derived from a known buggy app?), so I estimate there's currently no tool
remotely capable of emulating the brains of an experienced human web app
breaker (for lack of a better word)

good luck


thomas
---
[1] (not released yet? - not sure - see http://www.wiretrip.net/rfp)
[2] http://www.digizen-security.com/projects.html
[3] http://www.hsc.fr/ressources/outils/subweb/index.html.en

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Web Application Testers. Dom De Vitto (Sep 24)
- Re: Web Application Testers. Dennis Groves (Sep 25)
- Re: Web Application Testers. Lists (Sep 25)
- <Possible follow-ups>
- RE: Web Application Testers. Ockens Thomas (Sep 25)
- RE: Web Application Testers. Yonatan Bokovza (Sep 25)