OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sahlberg, Jeremiah (JJDSPARA-PROTECT.COM)
Date: Mon Apr 02 2001 - 17:39:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This looks interesting. It has many of the same features of Achilles, but
    it does it through the browser. I really like the "learn" mode. It is nice
    to be able to walk through the application and then come back and visit the
    interesting spots.

    One note, I had to install the HTML:Parser perl mod to get it to work. This
    may need to be added to the README.

    TESTED on Redhat 2.2.12 perl 5.005_03

    Cheers,

    Jeremiah

    -----Original Message-----
    From: Lluis Mora [mailto:llmoraS21SEC.COM]
    Sent: Tuesday, March 27, 2001 1:08 PM
    To: PEN-TESTSECURITYFOCUS.COM
    Subject: [PEN-TEST] HTTPush - a web server/application audit helper

    Hi all,

    Lately I've been working on a tool that will help (or at least try to) when
    auditing HTTP applications by showing the user exactly what is being sent to
    the remote host and allowing the real-time modification of that data
    (headers, cookies, method, protocol, post data, etc.) before it's actually
    sent to the server.

    This tool, HTTPush, works as a HTTP/HTTPS proxy server and intercepts all
    the requests sent from the client to the server, optionally recording them
    to file for analysis.

    Some of its features are:

    - On the fly HTTP request review and modification
    - Lynx, Internet Explorer and Netscape proxy support
    - HTTPS support (through OpenSSL, http://www.openssl.org)
    - Sticky headers and cookies
    - Session recording and reviewing

    It's not a CGI vulnerability scanner, but a helper for manually conducted
    application audits.

    At the moment the analysis is performed by the user, and HTTPush is just a
    nice interface to HTTP, but support for automated "common" vulnerability
    checking is being worked on, such as checking for cross-site scripting
    vulnerabilities, ../ checks, shell metacharacters embedded in a request,
    etc.

    Anyway, I think it's a nice tool that eases discovering new vulnerabilities
    in HTTP applications and servers, a good replacement for tcpdump + nc or
    HTML source form fields tracing, and nowadays when nearly everyone's got a
    website with custom applications it's a good place to look for when doing a
    pen-test.

    It's free, and you can get the latest version (v0.9b8) from:

      http://www.s21sec.com/download/httpush-current.tar.gz

    It's written in perl, so it should work on any platform perl runs on, though
    it's only been tested under Linux.

    Cheers,

    Lluis Mora llmoras21sec.com
    S21SEC