Cookie Analysis

March 18, 2007 Tools for Wep App Testing | Comments (3) sid @ 10:18 am

Webscarab is perhaps the only tool i can think of for this. I use this tool to figure out whether the session ids are predictable or not. The ‘visualisation’ feature is just great. Although the interface is not a very well designed and if you are a new user you have difficulties operating this tool but once you learn this tool its very handy. Some other great features include the compare feature which is a bit like ‘diff’ command in unix.

Another feature why i like this tool is for the inbuilt fuzzing module. Just specify the parameter in the request which you want to fuzz and point to the file containing the values, which you would like the paramter to take. Then use the ‘compare’ section to compare different responses and this should indicate whether fuzzing was successful or not. Although this also has a built in proxy feature, but i still prefer burp for proxy may be becuase of the better gui.

For the basic cookie analysis i use a firefox plugin. This plugin allows you to view all the cookies for a partciular domain currently set in your browser, and also allows you to edit them.

Man In The Middle Tools

Tools for Wep App Testing | Comments (0) sid @ 9:59 am

This weekend as i have nothing better to do, lemme talk about my experiences with proxy tools:

  1. Proxy Tool: Parameter Manipulation is a very important stage of web app testing, and without this, the test will be incomplete. I was using tools like Paros and Achillies for achieveing this, but the problem with both of them was they were highly unstable and would crash every now and then. Thus if the customer has asked you to provide all the logs of testing, it would be difficult for you to provide logs if tools were to crash. I currently use Burp Suite. I find it is highly stable and comes with this feature of viewing request/response as text, parameter, and as hex. Viewing request and response as ‘param’ helps me particulary when dealing with asp .net applications becuase of the long value of viewstate and other .net stuff. Another interesting feature of Burp is the repeater module, which could be used to send modified requests to server multiple times. I use this feature mostly to figure out the ‘non essential’ parameters of the unmodified request and then to focus on the essential parametes. Best way to learn the capabilities of this tool is to download it and then play with it. :)