[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Log requests and reply it again automaticall

From: "Gleb Paharenko" <gpaharenko@xxxxxxxxx>
Subject: [WEB SECURITY] Log requests and reply it again automaticall
Date: Thu, 10 Jan 2008 21:13:26 +0200

Hi.

I've been researching a simple task:

record all raw user requests to the server with post data and headers.
Then repeat them, perhaps modifying some parameters like session id.
It could be useful to test if some actions which were recorded under
privileged account is available under unprivileged account.

Tools like Selenium or other browser oriented staff which logs clicks
to buttons are unusable, because in unprivileged interface this
buttons could not exists, however direct post to url can work.

I've checked WebScarab, BurpSuite, Paros, w3af (spiderMan plugin)
and did not found any resoanble solution. Whith first three of them
I've been able to manually repeat a request, however for site with
hundreds links is is time consuming.

The only way to how automate this process, was exporting messages from
Paros. Then some scripting to get requests, modify session id, repeat
them again to server and scan by eyes though answers. It was several
times faster
than manual requests from graphical interface of these tools.

Question:
 Is it possible to do this simple task with some tool to  minimize
scripting and not invent a wheel.
 Is there a good command line XSS,SQLi checker which can read raw
requests with marked parameters to fuzz (like in burp suite), fuzz the
url, analyze responces to find problems.

w3af seems a good tool, however I've not run deep inside it yet. If it
can do all mentioned above stuff, point me please to right plugins.
Sure that there should be a discover plugin which can just read raw
request, but I have not found it!

Thanks all.


-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Log requests and reply it again automaticall
  - From: Ray Foo
- RE: [WEB SECURITY] Log requests and reply it again automaticall
  - From: Bedirhan Urgun
- Re: [WEB SECURITY] Log requests and reply it again automaticall
  - From: Stephen de Vries

Prev by Date: Re: [WEB SECURITY] Allow only certain urls to site
Next by Date: Re: [WEB SECURITY] Log requests and reply it again automaticall
Previous by thread: [WEB SECURITY] rIP BETA - reverse IP tool
Next by thread: Re: [WEB SECURITY] Log requests and reply it again automaticall
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site