OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dennis Groves (dennis_at_whitehatsec.com)
Date: Thu Sep 19 2002 - 09:37:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Arsenal was designed to do black box testing of web based cgi (perl, c,
    asp and whatever), by people who do black box testing of web
    applications for a living. Clearly this is not the best way to do
    security engineering, but unfortunately that is what customers want to
    know and companies like guardant have built very successful business
    around this model.

    Arsenal is not a shiny red button, it is a completely manual process -
    however it gives us complete control over the entire assessment
    process. Everything can be modified, from headers, methods, cookies,
    input, output - everything. Arsenal is more like an HTTP API, for lack
    of a better analogy. We like to think of it as a "toolbox" not a
    "hacker in a box".

    This is what you do:
       create a session for your assessment.
       spider the site.
       then enter a url, that posts data to a cgi you want to test and press
    ripper.
       you should have a form that has every hidden value as well as all
    other inputs to that cgi
       you can now place the data into that cgi, that it presumably would
    not expect.

    While Arsenal will not auto find anything; using it you can find things
    no other tool will. We are hard at work making it more sexy, and adding
    automated features. We also welcome any feedback you have for us.

    Arsenal can be found at http://community.whitehatsec.com/

    I have a collection of tools that I keep in my tool box:

    arirang-1.6
    Arsenal
    elza-1.4.7-beta Folder
    HTTP Debugger
    httpush-0.9b11
    nc110 Folder
    nikto-1.10
    pudding01 Folder
    saint-3.5.1
    sara-3.6.2
    screamingCobra-1.04
    screamingCSS1.02
    Whisker v1.4

    Spike is a much more automated tool, if that is what you are looking
    for, but it sounds like you want a more manual drive - that is our
    product. There is however one other tool that is completely manual
    drive that I also use; elza. Be sure to take a look at that one as well
    - its focus is quite a bit different - you actually interact with the
    cgi programatically as though you were writing a program in an
    interpreted language - quite useful - but again very, very manual.
    the rest of the tools are more automatic, and a couple are well known -
    but for the most part they are very "obscure" - search google - if you
    don't find the current version, I will be happy to email them to you.

    Dennis Groves

    Just so you know I am biased:
    I am Co-founder, OWASP.
    Director of Security Consulting, CenterStance. (my own company)
    Chief Web Application Security Consultant for Whitehat Security.
    I also worked for Sanctum, and had a role to play in AppScan. 

    --
"Every security scheme that is based on secrets eventually fails"  -- 
Steve Jobs