Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Web Browser For Penetration Test

RE: Web Browser For Penetration Test

From: Evans, Arian <Arian.Evans_at_fishnetsecurity.com>
Date: Mon, 10 Apr 2006 12:29:47 -0500

There are a number of IE plugins I've found out there, but
most don't seem to work right with the newest IE 6 or 7.

Same with Firefox's extensions; they work great *except*
several cannot capture or manipulate POSTdata, and a few
force you to deal with browser encoding requirements,
significantly limiting proper XSS testing.

Fiddler works great, unless you test SSL protected sites,
which is the majority of what I work on. btw// If we can
get the OK from Microsoft, we want to dump the fiddler code
into our .NET proxy (see Paraegis project/BlackHat Europe
2006) we just released as we have support for SSL built in,
and it would significantly extend Fiddler.

Ecyware GreenBlue Inspector is another very nice IE-interface
for testing web applications. The GUI is very fast and simple
for testing things like XSS, SQL injection, and method enforcement.

If you want a local proxy, there are a ton out there for free
or low prices, with a wide array of strengths and weaknesses:
-OWASP WebScarab
-Paros
-Watchfire Powertools (nice free windows proxy)
-Burp Suite (one of the best GUI fuzzers around built in)
-Odysseus (I personally don't like the GUI)
-there are probably 15 more and new projects keep cropping
up all the time.

I'm almost done with the third version of the OWASP tools list
which will be in PDF, and has a ton of these type of tools
categorized by testing features.

-ae

> -----Original Message-----
> From: Richard M. Smith [mailto:rms_at_computerbytesman.com]
> Sent: Sunday, April 09, 2006 9:23 AM
> To: webappsec_at_securityfocus.com
> Subject: RE: Web Browser For Penetration Test
>
>
> Here's the IE tool that I use:
>
> http://www.fiddlertool.com/fiddler/
>
> Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic
> between your
> computer and the Internet. Fiddler allows you to inspect all
> HTTP Traffic,
> set breakpoints, and "fiddle" with incoming or outgoing data.
> Fiddler is
> designed to be much simpler than using NetMon or Achilles,
> and includes a
> simple but powerful JScript.NET event-based scripting subsystem.
>
>
> Its biggest limitation is that it doesn't do HTTPS.
>
> Richard
>
> -----Original Message-----
> From: nimdA [mailto:nimda1_at_gmail.com]
> Sent: Saturday, April 08, 2006 6:47 AM
> To: webappsec_at_securityfocus.com
> Subject: Web Browser For Penetration Test
>
> Dear All
>
> I'm looking for web browser that help me in penetration testing of web
> applications, there are a lot of scanning tools, but I'm
> looking for a basic
> web browser which allow me to control all the data that send
> to or receive
> from the web server.
>
> There are some grate tools like minibrowser, but with complex
> application it
> did not work fine unless you use "Internet Explorer" as a
> browser, and you
> will lose the benefits of this browser.
>
> Unfortunately, I can't find other browser that does the same thing.
> What I'm looking for is a simple application, before send or
> receiving any
> value from the web server asks the user to confirm that data
> that will send
> or will receive, not more then that.
>
> So, If any one know some software or IE plug-in or client
> proxy that will
> help me on this, please send it.
>
> Thanks.
>
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web
> application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. Change
> the way you
> think about application security testing - See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300
000007kaF
--------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Apr 10 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos