hacking news for Educational aims
A Web Application Hacker’s Toolkit 751
Integrated Testing Suites
After the essential web browser, the most useful item in your toolkit when
attacking a web application is an intercepting proxy. In the early days of web
applications, the intercepting proxy was a standalone tool that provided minimal
functionality. The venerable Achilles proxy simply displayed each request and
response for editing. Although it was extremely basic, buggy, and a headache
to use, Achilles was suffi cient to compromise many a web application in the
hands of a skilled attacker.
Over the years, the humble intercepting proxy has evolved into a number
of highly functional tool suites, each containing several interconnected tools
designed to facilitate the common tasks involved in attacking a web application.
Several testing suites are commonly used by web application security testers:
n Burp Suite
n WebScarab
n Paros
n Zed Attack Proxy
n Andiparos
n Fiddler
n CAT
n Charles
These toolkits differ widely in their capabilities, and some are newer and
more experimental than others. In terms of pure functionality, Burp Suite is
the most sophisticated, and currently it is the only toolkit that contains all the
functionality described in the following sections. To some extent, which tools
you use is a matter of personal preference. If you do not yet have a preference,
we recommend that you download and use several of the suites in a real-world
situation and establish which best meets your needs.
This section examines how the tools work and describes the common work
fl ows involved in making the best use of them in your web application testing.
How the Tools Work
Each integrated testing suite contains several complementary tools that share
information about the target application.
A Web Application Hacker’s Toolkit
A large number of browser extensions are available for Firefox that may be
useful when attacking web applications, including the following:
n HttpWatch is also available for Firefox.
n FoxyProxy enables fl exible management of the browser’s proxy confi guration,
allowing quick switching, setting of different proxies for different
URLs, and so on.
n LiveHTTPHeaders lets you modify requests and responses and replay
individual requests.
n PrefBar allows you to enable and disable cookies, allowing quick access
control checks, as well as switching between different proxies, clearing
the cache, and switching the browser’s user agent.
n Wappalyzer uncovers technologies in use on the current page, showing
an icon for each one found in the URL bar.
n The Web Developer toolbar provides a variety of useful features. Among
the most helpful are the ability to view all links on a page, alter HTML
to make form fi elds writable, remove maximum lengths, unhide hidden
form fi elds, and change a request method from GET to POST.
Chrome
Chrome is a relatively new arrival on the browser scene, but it has rapidly gained
popularity, capturing approximately 15% of the market.
A number of browser extensions are available for Chrome that may be useful
when attacking web applications, including the following:
n XSS Rays is an extension that tests for XSS vulnerabilities and allows
DOM inspection.
n Cookie editor allows in-browser viewing and editing of cookies.
n Wappalyzer is also available for Chrome.
n The Web Developer Toolbar is also available for Chrome.
Chrome is likely to contain its fair share of quirky features that can be used
when constructing exploits for XSS and other vulnerabilities. Because Chrome
is a relative newcomer, these are likely to be a fruitful target for research in the
coming years.
Integrated Testing Suites
After the essential web browser, the most useful item in your toolkit when
attacking a web application is an intercepting proxy. In the early days of web
applications, the intercepting proxy was a standalone tool that provided minimal
functionality. The venerable Achilles proxy simply displayed each request and
response for editing. Although it was extremely basic, buggy, and a headache
to use, Achilles was suffi cient to compromise many a web application in the
hands of a skilled attacker.
Over the years, the humble intercepting proxy has evolved into a number
of highly functional tool suites, each containing several interconnected tools
designed to facilitate the common tasks involved in attacking a web application.
Several testing suites are commonly used by web application security testers:
n Burp Suite
n WebScarab
n Paros
n Zed Attack Proxy
n Andiparos
n Fiddler
n CAT
n Charles
These toolkits differ widely in their capabilities, and some are newer and
more experimental than others. In terms of pure functionality, Burp Suite is
the most sophisticated, and currently it is the only toolkit that contains all the
functionality described in the following sections. To some extent, which tools
you use is a matter of personal preference. If you do not yet have a preference,
we recommend that you download and use several of the suites in a real-world
situation and establish which best meets your needs.
This section examines how the tools work and describes the common work
fl ows involved in making the best use of them in your web application testing.
How the Tools Work
Each integrated testing suite contains several complementary tools that share
information about the target application.
A large number of browser extensions are available for Firefox that may be
useful when attacking web applications, including the following:
n HttpWatch is also available for Firefox.
n FoxyProxy enables fl exible management of the browser’s proxy confi guration,
allowing quick switching, setting of different proxies for different
URLs, and so on.
n LiveHTTPHeaders lets you modify requests and responses and replay
individual requests.
n PrefBar allows you to enable and disable cookies, allowing quick access
control checks, as well as switching between different proxies, clearing
the cache, and switching the browser’s user agent.
n Wappalyzer uncovers technologies in use on the current page, showing
an icon for each one found in the URL bar.
n The Web Developer toolbar provides a variety of useful features. Among
the most helpful are the ability to view all links on a page, alter HTML
to make form fi elds writable, remove maximum lengths, unhide hidden
form fi elds, and change a request method from GET to POST.
Chrome
Chrome is a relatively new arrival on the browser scene, but it has rapidly gained
popularity, capturing approximately 15% of the market.
A number of browser extensions are available for Chrome that may be useful
when attacking web applications, including the following:
n XSS Rays is an extension that tests for XSS vulnerabilities and allows
DOM inspection.
n Cookie editor allows in-browser viewing and editing of cookies.
n Wappalyzer is also available for Chrome.
n The Web Developer Toolbar is also available for Chrome.
Chrome is likely to contain its fair share of quirky features that can be used
when constructing exploits for XSS and other vulnerabilities. Because Chrome
is a relative newcomer, these are likely to be a fruitful target for research in the
coming years.
Comments