WebApp Sec mailing list archives
RE: Web Browser For Penetration Test
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 10 Apr 2006 12:29:47 -0500
There are a number of IE plugins I've found out there, but most don't seem to work right with the newest IE 6 or 7. Same with Firefox's extensions; they work great *except* several cannot capture or manipulate POSTdata, and a few force you to deal with browser encoding requirements, significantly limiting proper XSS testing. Fiddler works great, unless you test SSL protected sites, which is the majority of what I work on. btw// If we can get the OK from Microsoft, we want to dump the fiddler code into our .NET proxy (see Paraegis project/BlackHat Europe 2006) we just released as we have support for SSL built in, and it would significantly extend Fiddler. Ecyware GreenBlue Inspector is another very nice IE-interface for testing web applications. The GUI is very fast and simple for testing things like XSS, SQL injection, and method enforcement. If you want a local proxy, there are a ton out there for free or low prices, with a wide array of strengths and weaknesses: -OWASP WebScarab -Paros -Watchfire Powertools (nice free windows proxy) -Burp Suite (one of the best GUI fuzzers around built in) -Odysseus (I personally don't like the GUI) -there are probably 15 more and new projects keep cropping up all the time. I'm almost done with the third version of the OWASP tools list which will be in PDF, and has a ton of these type of tools categorized by testing features. -ae
-----Original Message----- From: Richard M. Smith [mailto:rms () computerbytesman com] Sent: Sunday, April 09, 2006 9:23 AM To: webappsec () securityfocus com Subject: RE: Web Browser For Penetration Test Here's the IE tool that I use: http://www.fiddlertool.com/fiddler/ Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler is designed to be much simpler than using NetMon or Achilles, and includes a simple but powerful JScript.NET event-based scripting subsystem. Its biggest limitation is that it doesn't do HTTPS. Richard -----Original Message----- From: nimdA [mailto:nimda1 () gmail com] Sent: Saturday, April 08, 2006 6:47 AM To: webappsec () securityfocus com Subject: Web Browser For Penetration Test Dear All I'm looking for web browser that help me in penetration testing of web applications, there are a lot of scanning tools, but I'm looking for a basic web browser which allow me to control all the data that send to or receive from the web server. There are some grate tools like minibrowser, but with complex application it did not work fine unless you use "Internet Explorer" as a browser, and you will lose the benefits of this browser. Unfortunately, I can't find other browser that does the same thing. What I'm looking for is a simple application, before send or receiving any value from the web server asks the user to confirm that data that will send or will receive, not more then that. So, If any one know some software or IE plug-in or client proxy that will help me on this, please send it. Thanks. -------------------------------------------------------------- ----------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300
000007kaF -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF -------------------------------------------------------------------------- ------------------------------------------------------------------------- This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Re: Web Browser For Penetration Test, (continued)
- Re: Web Browser For Penetration Test pagvac (Apr 09)
- Re: Web Browser For Penetration Test Sven Vetsch (Apr 09)
- RE: Web Browser For Penetration Test Hamed Tajabadi (Apr 09)
- RE: Web Browser For Penetration Test Hamed Tajabadi (Apr 09)
- Re: Web Browser For Penetration Test Justin Clarke (Apr 10)
- RE: Web Browser For Penetration Test Richard M. Smith (Apr 10)
- Re: Web Browser For Penetration Test Tim Brown (Apr 10)
- Re: Web Browser For Penetration Test Gareth Davies (Apr 12)
- Re: Web Browser For Penetration Test ROB DIXON (Apr 10)
- RE: Web Browser For Penetration Test Anthony Cicalla (Apr 10)
- RE: Web Browser For Penetration Test Evans, Arian (Apr 10)