Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Program to populate forms
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 13 Mar 2008 11:08:31 -0700

I should say up front that there is no substitute for manual testing.
However, automated scanners do save you a hell of a lot of time for locating
the low-hanging fruit. 

That said, there are times when I'm pen-testing complex web apps with
multiple tiers/branches that require specific valid input at several steps
to gain access to where a potential vulnerable field/page/form may exist
that I want to hit with fuzzy bad traffic. Manually scripting all this would
be a huge timesink and isn't very cost-effective. Some of the webapp
scanners do have some capability to do field population but it's not as
flexible as I'd like. For instance, Webinspect can "learn" an app and you
can specify what input to provide at various forms/prompts but there is no
real granularity. If I want to specify that on page1 to use Foo for a
username field but on pages 3-5 and their children I want to use Bar for all
username fields I have to do that manually. If I prepopulated the Username
field in WI with Foo it uses Foo for all username fields... unless I want to
run *another* scan from the Foo return as the starting point and run with
Bar from there forward. 

What I would love to see is a tool which could allow for this kind of
granularity in field input. Anyone have ideas?


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba () amoebazone com
"Do Not Taunt Happy-Fun Ball"




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Robin Wood
Sent: Thursday, March 13, 2008 10:21 AM
To: Sam Rakowski
Cc: pen-test () securityfocus com
Subject: Re: Program to populate forms

On 13/03/2008, Sam Rakowski <masterakowski () gmail com> wrote:
On 12 Mar 2008 15:19:13 -0000, finight64 () gmail com <finight64 () gmail com>
wrote:

I'm looking for a program to automatically fill in forms to create
traffic on a web app for analysis. Does anyone have any suggestions or
experiences?


Would that be 'good' traffic, what your program expects, or 'bad'
 traffic (i.e. putting xyzzy for a zip code)

Depends on what you want to test, the question was about creating
traffic so I'd say good, valid traffic. If he wanted to test it then
he'd put all sorts or stuff in there.

Robin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault