In association with heise online

Toolbox

Various specialized proxies between the browser and the actual network connection on the user's system provide valuable support in manipulating input parameters. Configuration is easy: all you have to do is enter the proxy with the respective port (see the README file) in the browser's presets and run it.

Proxies further down in the chain should not be forgotten; otherwise, nothing will work. PenProxy has the following syntax for this command line:

java -jar penproxy.jar 8088 other-proxy-name:port

The syntax is similar for other tools. On request, they interrupt GET and POST requests so you can adapt the data to be transmitted. The changes affect all of the data in a request, including the header and any cookies attached -- ideal if you want to try out something new. Assume the application switches its language based on the accepted language transmitted in the header. How does it react, if the header contains something else than expected strings such as English or German? Perhaps it is reading from this directory ...

 
GET /help?doc=passwd HTTP/1.0
Host: www.my-server.co.uk
Accept-Language: ../../../etc

With PenProxy [6] from Innocent Code author Huseby [7], you get a "man in the middle" that is quite simple but fully sufficient for many purposes -- just not for HTTPS connections, which PenProxy cannot handle. But it can limit to certain domains the requests that are to be interrupted, and ignore file types such as .jpg. A log file records all requests if so desired. Furthermore, Set no-cache automatically sets the pragma in the header to prevent caching.

image 4 [498 x 374 Pixel @ 32 KB]
Pen testers can use PenProxy to display the data exchange

In contrast, the Burp proxy [8] works just as well with HTTPS as it does with normal HTTP connections and also supports the authentication of downstream proxies and web servers. In combination with a hex editor, binary data are also easy to modify. Most of all, the substitution based on regular expressions is a great help in automatically adapting requests and responses. What's more, all changes are cached on request and available directly in your browser via http://burp.

In addition to these basic functions, Paros [9] offers a "spider" that finds interesting parameters and URLs reserved for administrators. URLs gleaned through requests also appear in a tree diagram. Furthermore, some tests are integrated for typical vulnerabilities such as SQL injection and directory browsing, which Paros can apply either to individual nodes or all nodes. A converter can generate hash codes (SHA1, MD5) and Base64 / URL codes -- and even translate them in the latter two cases.

WebScarab [10] is developed by OWASP (Open Web Application Security Project) and also includes a spider. Unlike the other proxies, WebScarab can handle manipulations of PUT, DELETE, and CONNECT requests. The software is rounded off by a comprehensive tool for the analysis of session IDs that charts the development of session IDs in cookies over time.

All of the proxies presented here are either freeware or Open Source and implemented in Java. To use them you need at least version 1.4 of the Java Runtime Environment (JRE). Unlike free proxies, Burp Intruder [11] costs money: this tool automates the time-consuming task of testing the extent of a Web application's parameter ranges.

Practice makes perfect.

Penetration tests of Web applications also take some practice. In addition to the application created for your own server, which you can gradually improve during the tests, the OWASP project's weak spot server WebGoat [12] is also useful. In several steps, you can develop your own abilities in detecting and exploiting security holes. (dab)

References

[1] Attacks on web clients with cross-site scripting and cross-frame scripting

[2] [ticker:uk_43175 SQL-Injection - Angriff und Abwehr]

[3] Advanced SQL Injection

[4] Manipulating SQL Server Using SQL-Injection

[5] Brute Force Exploitation of Session IDs

[6] PenProxy

[7| Innocent Code: A Security Wake-up Call for Web Programmers

[8] Burp proxy

[9] Paros Proxy

[10] WebScarab

[11] Burp intruder

[12] Webgoat

Print Version | Permalink: http://h-online.com/-747167
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit