December 4, 2008
Building a Security Tool Chest
Part 3 – Web App Testing Tools
Tamper Data
– A Firefox plug-in that allows inline capture and modification of outgoing HTTP requests.
Instead of relying on Javascript to modify the DOM before a form or query is submitted
you are able to trap the request, edit it (including adding completely new fields)
and forward it to the server. This can allow a tester to bypass all client-side filtering
and verification a web application may have.
User Agent Switcher
– A Firefox plug-in that allows a tester to quickly change the User-Agent string submitted
by the browser when a request is made. Normally this is not terribly exciting but
some websites have been coded to allow search bots access to otherwise restricted
pages. By emulating the agents used by Google, Yahoo or MSN a tester may be able to
gain access to otherwise unavailable files and content.
RefControl –
Similar to UAS, this Firefox plug-in allows the tester to easily change the HTTP Referrer
string on a per-site basis. Some poorly written sites and applications use the referrer
field to verify the user is coming from a specific location as the security check
for allowing access to pages. Using RefControl this can easily be spoofed and allow
a tester to bypass the login page.
ChickenFoot or Greasemonkey –
These two Firefox plug-ins allow the tester to customize the scripting environment
within the browser to manipulate the way pages are rendered. Both allow custom third
party scripts to be executed once a page or application is loaded into the browser.
This can allow a tester to debug or even break scripts and the DOM for the content
being displayed.
Websites:
myIPNeighbors.com – This website allows
a tester to determine if other domains are being hosted on the same IP address as
their target site. It is most useful when the target is located at a hosting provider
as they tend to run numerous domains on a single IP address.
Standalone Apps:
Nmap –
While not a web application testing tool in the traditional sense, nmap does have
a small place in the world of web app testing. It may help identify the version of
the web server running on the target system if the site has been configured to suppress
banner displays. Additionally it can usually ID the operating system of the target
which can further help identify the possible versions of the services on the system.
Wiktoand Nikto –
Open source web server scanners that check for a large number of common vulnerabilities.
They include the GHDB library
of attacks, server fingerprinting, directory spidering, SSL support and detailed reporting
capabilities.
Acunetix WVS – A web
application scanning software that crawls a site or app looking for common files and
vulnerabilities. There is both a free and commercial version of the tool available.
The free scanner only checks for XSS vulnerabilities whereas the commercial version
attempts to locate common config files, backup versions of files, SQL injection, XSS
and more.