Penetration Testing mailing list archives
Re: Web Application Penetration Testing Tools
From: "Robert J. Brown" <rjb () robertjbrown com>
Date: Mon, 13 Oct 2003 23:26:28 -0000
Brian E said:
Does anyone know of some other good tools for auditing web applications with the ability to manipulate form data and cookies before being sent to the server?
I prefer the Unix platform so my tool of choice has been SSLProxy. You can also build it with Cygwin to work under Windows if that is your style. Its only function is to act as a proxy to remove the SSL encryption. You can then use whatever tool you want on the client side to manipulate cookie data, referrer values, session IDs, etc. It also allows you to sniff the traffic and see exactly what is going on. Works great and best of all - it's GPL'd. With this tool, you can use non-SSL aware client tools for manipulating data. This is one of the biggest benefits. You can find it at: http://www.obdev.at/products/ssl-proxy/index.html Here is a bit of info from the readme file: What is sslproxy? ================= sslproxy is a transparent proxy that can translate between encrypted and unencrypted data transport on socket connections. It also has a non-transparent mode for automatic encryption-detection on netbios. sslproxy has been developed to have more secure servers available for the secure mode of Sharity (a CIFS/SMB client for Unix). However, the program can also be used for a multitude of other security related applications. What are the typical applications for sslproxy? =============================================== sslproxy can be used to make a secure server for HTTP, telnet, POP, CIFS/SMB etc. without changing the server itself. It's therefore possible to turn an NT file server into a secure file server, to turn a telnet daemon into an SSL telnet daemon etc. The opposite is also possible: sslproxy can turn an ordinary client into it's SSL variant without changing anything on the client. It's e.g. possible to make secure telnet connections from Windows NT. Regards, -Robert -- Robert J. Brown Email: rjb () robertjbrown com Web: http://www.robertjbrown.com PGP Key: http://www.robertjbrown.com/rjbpgp.asc --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- Re: Web Application Penetration Testing Tools, (continued)
- Re: Web Application Penetration Testing Tools Cesar (Oct 09)
- RE: Web Application Penetration Testing Tools Faiz Ahmad Shuja (Oct 12)
- RE: Web Application Penetration Testing Tools Elsner, Donald, ALABS (Oct 08)
- RE: Web Application Penetration Testing Tools Gary Everekyan (Oct 08)
- RE: Web Application Penetration Testing Tools GMHoward (Oct 08)
- RE: Web Application Penetration Testing Tools Perrymon, Josh L. (Oct 09)
- RE: Web Application Penetration Testing Tools Christophe, Pascal (Oct 09)
- Re: Web Application Penetration Testing Tools balinsky (Oct 10)
- RE: Web Application Penetration Testing Tools Dawes, Rogan (ZA - Johannesburg) (Oct 13)
- Re: Web Application Penetration Testing Tools Smaxdot (Oct 13)
- Re: Web Application Penetration Testing Tools Robert J. Brown (Oct 13)