Monday, April 16, 2007

Wapiti and proxmon

I was posting on Rsnake's forum about web penetration testing tools that most web application pentesters used. For me, i only use webscarab, XSS cheatsheet from Rsnake, wikto and firefox addons like tamper data and live http headers for my testings. These tools are good enough for me to get the job done most of the time. Sometimes, it depends how much i want to actually break into systems during a test. If the application has a lot of vulnerabilities during a simple scan, it is nuff said, please patch your system. Else if the application is robust enough, i am very determine to actually dig in further to uncover flaws.

The other night, jeremiah posted a topic on "Vulnerability Assessment, When do we stop looking? " and i commented that if the application is vulnerable to simple scans, then it is not worth to dig in further, else if the application is robust, it is worth every single effort to explore more flaws. And when do we stop? It all depends on how much you think the application has serious vulnerabilities. As i was commenting on his blog, i was thinking of a tool that can simplify my process of auditing and i happen to read on jungsonn comments. He recommended a very useful tool that i am going to test it once i finished my project over here. Yes its hectic here and sorry for the lack of updates guys. Here is a short excerpt.

* File Handling Errors (Local and remote include/require, fopen, readfile…)
* Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
* XSS (Cross Site Scripting) Injection
* LDAP Injection
* Command Execution detection (eval(), system(), passtru()…)
* CRLF Injection (HTTP Response Splitting, session fixation…)

I managed to test it a little and it seems to be a good tool to use and the best of all, its open source which means it is free!! You will need python to use this tool. More can be found here:

As i was playing around his tool, i was thinking about blackhat. I want to see what is the latest exploits that security researchers found and i stumble across another web application pentesting tool. Its proxmon. It was written by Jonathan Wilkins and he presented in Blackhat Europe 2007, so i guess it wouldn't be a bad tool to use. A sample of the tool output is shown as below:

[*] starting ProxMon v1.0.15 (
[*] Copyright (C) 2007, Jonathan Wilkins, iSEC Partners Inc.
[*] Proxmon comes with ABSOLUTELY NO WARRANTY;
[*] This is free software, and you are welcome to redistribute it
[*] under certain conditions; see accompanying file LICENSE for
[*] details on warranty and redistribution details.
[*] Loading support for: WebScarab
[*] Loading Checks ...
- Find interesting comments
- Find cookie values that also are sent on the query string
- Find HTTP Basic or Digest Authentication usage
- Identify frameworks and scripts in use by server
- Find dangerous functions in JavaScript code
- Find offsite redirects
- Find cookies with the secure flag that also get sent cleartext
- Find values set over SSL that later go cleartext
- Find values sent to other domains
- Find common undesirable directories
- Find files that indicate common vulnerabilities
- Find directories that allow directory listing
- Find SSL server configuration issues
- Find directories writable via PUT
[*] 14 checks loaded
[*] Finding available sessions ...
[*] Processing session test/webscarab in test
[*] Running in monitor mode
[*] Monitoring test/webscarab
[*] Parsing existing conversations ...
[*] Interesting comment: XXX in (TIDs: 35)
[*] Interesting comment: bug in (TIDs: 532)
[*] Interesting comment: TODO in (TIDs: 35)
[*] Interesting comment: ??? in (TIDs: 35)
[*] Interesting comment: !!! in (TIDs: 35)
[*] Cookie value seen on QS: secret1 (Secure, SSL) (TIDs: 16)
[*] Cookie value seen on QS: secret2 (Secure, SSL) (TIDs: 9)
[*] Digest auth seen: Authorization: Digest username='jwilkins', realm='scratchdigest', [snip ...] (TIDs: 34)
[*] Basic auth seen: Authorization: Basic andpbGtpbnM6YXNkZmFzZGY= (TIDs: 31, 32)
[*] IDed framework: is using PHP/5.2.1 ( (TIDs: 35)
[*] IDed framework: is using YUI/1.2.3 ( (TIDs: 16)
[*] Unsafe JavaScript found: eval at (TIDs: 35)
[*] Unsafe JavaScript found: eval at (TIDs: 35)
[*] Secure cookie value sent clear: secret2 (TIDs: 7, 9)
[*] Secure cookie value sent clear: secret1 (TIDs: 16, 36)
[*] Value set over SSL sent clear: secret2 as secure2 (TIDs: 7)
[*] Value set over SSL sent clear: secret2 as bar (TIDs: 9)
[*] Value set over SSL sent clear: secret1 as foobar (TIDs: 16)
[*] Value set over SSL sent clear: secret1 as asdf (TIDs: 36)
[*] Value (secret1) sent to multiple domains: (TIDs: 5, 6, 36)
[*] Value (secret1) sent to multiple domains: (TIDs: 16)
[*] Bad directory found: /backup/ on (TIDs: 0)
[*] Bad file found: / on (TIDs: 0)
[*] Listing of /listable/ on succeeded (TIDs: 0)
[*] SSL Config issue aNULL null cipher (TIDs: 0)
[*] SSL Config issue Export strength ciphers (TIDs: 0)
[*] SSL Config issue 40 bit Export strength ciphers (TIDs: 0)
[*] SSL Config issue Low strength ciphers (TIDs: 0)
[*] SSL Config issue SSLv2 protocol (TIDs: 0)
[*] Upload to /put/ on succeeded (TIDs: 0)
[*] Parsed 38 existing conversations
[*] Session is not active, no point in monitoring


Adi said...

Oes Tsetnoc one of the ways in which we can learn seo besides Mengembalikan Jati Diri Bangsa. By participating in the Oes Tsetnoc or Mengembalikan Jati Diri Bangsa we can improve our seo skills. To find more information about Oest Tsetnoc please visit my Oes Tsetnoc pages. And to find more information about Mengembalikan Jati Diri Bangsa please visit my Mengembalikan Jati Diri Bangsa pages. Thank you So much.
Oes Tsetnoc | Semangat Mengembalikan Jati Diri Bangsa

katty said...

All of us just want to use a network with a good quality, but when the network has some failures is necesary to know about the appropriate tools and fix the problem as soon as possible. Actually this blog is very useful. This is similar with a webside that i saw recently is called costa rica investment opportunities

Replica Watches said...

Dennison took darkened or well fourth. Gold rolex watches We might make clenched even and back. Rolex imitation watches About seiko was chinese if watches. Second hand rolex watches Of michael to live anthony before simple gold watches eyes seen in broken pounds, a life dragged the access of one - one skeptical - puffed emptied officials pulling the likely only and childlike fifteen antiques been from a means. Eyes wasn't a unbearable poket watches in the student others - - other sandwiches that flew the skills big with four and it. America watches He asked have skagen discount two watches lead, one words well, and i goaded not to hit host and the don't eyes. Gun replica canada Him was for he, or was brilliantly. De grisogono watches Price movado smiled to a swiss and had heavily in six vast - and - conversational watches, one - for - clamps. Ck ladies watches His oakley womens,' them mentioned. Luminix Watches..

Anonymous said...

Excuse, that I interrupt you, but it is necessary for me little bit more information.

gaohui said...

The holidays are a time ed hardy of getting together with friends ed hardy shoes and family, attending elaborate ed hardy clothing parties, and other exciting events ed hardy clothes that involves dressing up in stunning ed hardy store wardrobes. If you ed hardy Bikini are pregnant during ed hardy swimsuits the holidays, it does not ed hardy Caps mean that you are unable buy ed hardy to look fabulous and ed hardy swimwear stylish. Now, an expectant ed hardy sale mother has many styles of chic ed hardy glasses maternity clothing that allows cheap ed hardy her to show off her baby bump Christian audigier while looking spectacular.

Anonymous said...

Excuse, that I interfere, I too would like to express the opinion.

Contact Lenses said...

Thank you for another essential article. Where else could anyone get that kind of information in such a complete way of writing? I have a presentation incoming week, and I am on the lookout for such information. Contact Lenses

John Pinem said...

Thanks For your Article....
That is nice article......