SecurityFocus Penetration Re Web Application Penetration Testing by yaofenjin

VIEWS: 4 PAGES: 3

									             SecurityFocus Penetration: Re: Web Application Penetration Testing Tools

    Re: Web Application Penetration Testing Tools

Source: http://www.derkeiler.com/Mailing−Lists/securityfocus/pen−test/2003−10/0060.html


From: Daniel Nylander (mail−lists_at_lidkoping.net)
Date: 10/08/03

To: <pen−test@securityfocus.com>
Date: Wed, 8 Oct 2003 19:44:05 +0200



I used to work with performance testing of large webapplications such as
Internetbanks etc..
We used our self−developed tools called PureLoad. PureLoad is a load
generator written entirely in Java.
PureLoad has a built−in proxy which records all traffic and all variables
sent in and out of a webapplication.
It gives you a (almost) complete overview of the traffic between browser and
webserver (even HTTPS).
Download and test for your self.. there should be a 30−day evaluation
version
http://www.pureload.com/

Cheers,
Daniel

−−−−− Original Message −−−−−
From: "Bill Pennington" <billp@boarder.org>
To: "Brian E" <brian_anon@hotmail.com>
Cc: <pen−test@securityfocus.com>
Sent: Wednesday, October 08, 2003 6:06 PM
Subject: Re: Web Application Penetration Testing Tools

> I think you are going to need to use a proxy based tool. Rewriting HTML
> and embedding it in more HTML like you have to do with browser based
> tools is extremely difficult. Javascript, Frames, Style sheets etc...
> can all mess with the rendering.
>
> Not to mention sites that do crazy things like having multiple <body>
> tags, yes I am working on a site that has that now...
>
> I posted a message a while back about proxy based tools on the
> Webappsec list. Tools to look at are Achilles, Webscarab/exodus, Spike
> proxy, and penproxy. There are a number of others.
>
> On Tuesday, October 7, 2003, at 06:24 PM, Brian E wrote:
>
>>


Re: Web Application Penetration Testing Tools                                             1
            SecurityFocus Penetration: Re: Web Application Penetration Testing Tools
>>
> > When performing penetration testing of web applications I have used a
> > minibrowser from www.aignes.com for a very long time.
>>
> > This simple application allows me to browse a web application and
> > easily see links, form elements, cookies, a log of actual commands
> > being sent back and forth and more. The ability to manipulate cookies
> > and form elements makes it very useful.
>>
> > Unfortunately, it's support as a web browser is limited so I can't
> > test all web applications (such as embeded scripts and frames).
>>
> > Does anyone know of some other good tools for auditing web
> > applications with the ability to manipulate form data and cookies
> > before being sent to the server?
>>
> > Preferably, I'm looking for something based on Windows that is browser
> > based (as opposed to proxy based) but am still open to all platforms
> > and methods.
>>
>>
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
> > −−−−
> > Tired of constantly searching the web for the latest exploits?
> > Tired of using 300 different tools to do one job?
> > Get CORE IMPACT and get some rest.
> > www.coresecurity.com/promos/sf_ept2
>>
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
> > −−−−−
>>
>>
>
> −−−
> Bill Pennington, CISSP, CCNA
> Chief Technology Officer
> WhiteHat Security Inc.
> http://www.whitehatsec.com
>
>
>
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
−
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
>
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

−−


Re: Web Application Penetration Testing Tools                                          2
            SecurityFocus Penetration: Re: Web Application Penetration Testing Tools
>
>
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−




Re: Web Application Penetration Testing Tools                                          3

								
To top