4:27 PM -- A couple of weeks ago, I covered Firefox extensions Tamper Data, Firebug, and Web Developer, which can help security professionals test the security of Web applications in their organizations (See How to Turn Your Browser Into a Weapon.) The fun isn't limited to Firefox users, though.
In that previous blog post, I referenced Tamper Data as a potential replacement for Paros Proxy and the Burp Suite, but it doesn't come close to providing all the features they possess nor does it work with other browsers. Paros Proxy, Burp Suite, and WebScarab sit in front of any Web browser, or even command-line tools like wget and curl, acting as a HTTP(S) proxy with the capability of modifying both requests and responses.
You can use regular expressions to identify what to modify, and the scripts then automate the tampering process. (A quick related note: I previously stated that Tamper Data modified by request and responses, but my good friend, Jordan Wiens, reminded me that it only allows request modification.)
Paros, Burp, and WebScarab don't stop at just modifying HTTP(S) traffic, but they also include great features like spidering Websites, fuzzing, and testing for vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). Using the spidering functions of Paros and then scanning those pages for SQL injection and XSS vulnerabilities has been surprisingly accurate. When I tested a couple of commercial Web application vulnerability scanners about a year and a half ago, Paros actually found a few XSS vulnerabilities that two of three major scanning tool vendors missed. I was quite impressed and the vendors were quite surprised, to say the least.
It takes a good understanding of the HTTP protocol and how Web applications work to use these tools successfully, but even if you're not all that familiar with Web technology, spending some time with these tools while browsing your company's Website will have a huge impact on your understanding of the tools, HTTP, and your Website. If you want to get more familiar with Web application security or Web hacking, take a look at blogs from some of the current pioneers Jeremiah Grossman, Robert "RSnake" Hansen, and Petko D. Petkov "pdp". Once you think you've got the hang of HTTP and some of the tools, try out some of the free Web hacking training sites like Hack This Site, OWASP WebGoat, and Foundstone's "Hacme" series.
Web application security is definitely gaining in popularity as more and more applications move to the Web, and as the hacking tools available become more advanced. It is part art and part science, and requires lots of patience and ingenuity to become masterful. Having the right tools certainly help make the journey less painful. So take a look at Paros Proxy, Burp Suite, and WebScarab, then let me know which one you like best and why.
John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading