Re: [WEB SECURITY] Log requests and reply it again automaticall

[Stephen de Vries <stephen@xxxxxxxxxxxxxxxxxx>]

Hi Gleb,

There are a number of functional testing tools that aren't browser  
tied and will let you perform arbitrary GET and POST requests, see:
- htmlunit.sf.net
- webtest.canoo.com (uses htmlunit under the covers but makes it  
easier to use and lets you write tests in XML instead of Java)
- jwebunit.sf.net (also uses htmlunit, but wraps it into less verbose  
Java)
- grails.codehaus.org (a complete web app framework in Groovy, uses  
groovy to wrap Canoo webtests)

All of the above use HtmlUnit as the engine and parser for responses.   
This disadvantage of this (from a functional testing point of view) is  
that the JavaScript support is not great.  HtmlUnit uses the Rhino  
parser which is improving but won't match an actual browser instance  
for support.  But if you're doing security tests, this shouldn't  
matter too much.

I'd recommend canoo webtest if you're undecided as it's got a lot of  
developer support and is both flexible and easy to use for non- 
programmers.

<self plug>
Security Testing Applications through Automated Software Tests:
http://research.corsaire.com/whitepapers/060531-security-testing-web-applications-through-automated-software-tests.pdf
</self plug>

Stephen


On Jan 10, 2008, at 8:13 PM, Gleb Paharenko wrote:

> Hi.
>
> I've been researching a simple task:
>
> record all raw user requests to the server with post data and headers.
> Then repeat them, perhaps modifying some parameters like session id.
> It could be useful to test if some actions which were recorded under
> privileged account is available under unprivileged account.
>
> Tools like Selenium or other browser oriented staff which logs clicks
> to buttons are unusable, because in unprivileged interface this
> buttons could not exists, however direct post to url can work.
>
> I've checked WebScarab, BurpSuite, Paros, w3af (spiderMan plugin)
> and did not found any resoanble solution. Whith first three of them
> I've been able to manually repeat a request, however for site with
> hundreds links is is time consuming.
>
> The only way to how automate this process, was exporting messages from
> Paros. Then some scripting to get requests, modify session id, repeat
> them again to server and scan by eyes though answers. It was several
> times faster
> than manual requests from graphical interface of these tools.
>
> Question:
> Is it possible to do this simple task with some tool to  minimize
> scripting and not invent a wheel.
> Is there a good command line XSS,SQLi checker which can read raw
> requests with marked parameters to fuzz (like in burp suite), fuzz the
> url, analyze responces to find problems.
>
> w3af seems a good tool, however I've not run deep inside it yet. If it
> can do all mentioned above stuff, point me please to right plugins.
> Sure that there should be a discover plugin which can just read raw
> request, but I have not found it!
>
> Thanks all.
>
>
> --
> Best regards.
> Gleb Pakharenko.
> http://gpaharenko.livejournal.com
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]