RE: Web Application Testers.

From: Ockens Thomas (Thomas.Ockensat_private)
Date: Tue Sep 25 2001 - 05:49:09 PDT

Next message: Patrick Coomans: "Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 or S7"

Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: FW: RE Modem identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(note - I've taken vuln-dev out of the CC-list, as this seems just the
tiniest bit more suitable for pen-testers)

> FYI, AppScan breaks/subverts web applications -  there are 
> plenty of tools
> to break web servers (apache/IIS), but it looks like appscan 
> is on it's own
> on the test-the-bespoke-web-app front.

I'm not a hundred percent sure if hailstorm has been considered, but have a
look, or take an evaluation copy for a test drive at
http://www.clicktosecure.com/products/index.html

also, HSCs babelweb can possibly used for subverting web applications - the
least it does is a good deal of enumeration: 
(from the web site)

	"Babelweb is a program which allows to automate tests on a HTTP
server. It is able to follow the links and the HTTP redirect but it is
programmed to remain on the original server. 
The main goal of babelweb is to obtain informations about a remote web
server and to sort these informations. It is thus possible to draw up the
list of the accessible pages, the cgi scripts met, the various files found
like .zip, .pdf..."
..get it from here: http://www.hsc.fr/ressources/outils/babelweb/


As additional ideas, you may want to look into tools such as RFProxy[1],
Achilles[2] or subweb[3] when breaking web apps; I found Achilles invaluable
when needing on-the-fly substitution of authentication cookies for a web
board, which in a fashion was a bit like breaking it.

As 'web apps' seems to be pretty huge a field, breaking them might involve
low-level stuff such as a spoofed IP, referrer or somesuch, or SQL
injection, overly long input in forms, exploitation of site-design specific
bugs (is the interface plain html w/ cgi?  is it PHP?  is the PHP possibly
derived from a known buggy app?), so I estimate there's currently no tool
remotely capable of emulating the brains of an experienced human web app
breaker (for lack of a better word)

good luck


thomas
---
[1] (not released yet? - not sure - see http://www.wiretrip.net/rfp)
[2] http://www.digizen-security.com/projects.html
[3] http://www.hsc.fr/ressources/outils/subweb/index.html.en

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Patrick Coomans: "Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 or S7"
Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: FW: RE Modem identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 18:29:23 PDT