When doing a manual security assessment of a web application you generally only require a web browser and a local proxy server that allows you to trap and modify requests. Aside from those basic tools, there are a few others that come in handy. This page is dedicated to the tools I use, or that I find useful.
The Starting Team
- Mozilla FireFox- If your not using this browser for your normal browsing activity… you should. There are enough security problems with IE to encourage such a choice, and if you want to do any security hacking/auditing this will become an invaluable tool. One of the major benefits of FireFox comes in the form of the great number of extensions available. Here are some useful ones
- Web Developer - This plugin adds a toolbar full of useful tools for both web developers and web hackers alike.
- SwitchProxy - Quickly and easily switch between your local proxy server and direct connections.
- LiveHTTP Headers - This allows you to quickly view the header traffic to and from your browser without the need for connecting to a local proxy server
- User Agent Switcher - This plugin allows you to quickly and easily change the User Agent string sent to the webserver. Sometimes apps are designed to generate different output based on the browser type and this could result in the execution of a different chunk of code.
- My full FireFox extensions list - There are additional extensions I use, but they don’t really belong in this list.
- Burp Proxy - Burp Proxy is my primary manual attacking tool and is actually designed specifically for web app hacking. Note: Requires a working Java environment.
- ntoinsight and ntoweb - ntoinsight is a great crawler that will inventory the site and generate a cool report of the attackable locations on the site. Adding ntoweb allows it to execute the nikto checks and add the findings to the report.
- Cross Site Scripting cheatsheet - This appears to be the definitive list of ways to accomplish XSS and work around various input validation or complicated ways to make sure the resulting injection accomplishes what you want.
- MD5 Hash Lookup - When you discover an MD5 has, this is the fastest solution for finding its unencrypted value. If is not “decrypting”, but instead they are building up a huge database of common strings/passwords and generating the MD5 hashes and then allowing you to search the pre-generated hashes to find a possible match.
- Google - Need I explain what an awesome resource this is?
Often Benchwarmers, but good to have around
- Paros Proxy - This is another local proxy server that allows you to have your own man in the middle to use for recoding the full traffic between your browser and the web server. Paros allows you to “trap” the requests and responses in a way that you have to approve each and are able to modify any of the traffic before it gets to its intended destination. Note: Requires a working Java environment.
- DSniff (for Windows) – Old school spoofing, intercept and monitoring communication tools.
- Ettercap (for Windows) – Similar to DSniff, but more user-friendly.
- LibWhisker - Perl library that provides functions for manipulating HTTP and HTML. Can be used to create your own hacking scripts.
- Nikto - Known vuln web server and application scanner (uses LibWhisker).
- Stunnel - Allows you to use any normal hacking script that works over HTTP but not HTTPS. Stunnel can handle the encryption layer and tunnel the traffic.
- NetCat (for Windows) – Known as “The TCP/IP swiss army knife”. This is just a generally useful networking tool.
Other lists of tools
- Top 75 Security Tools by Insecure.org - A great list of web app sec and general network sec tools.
Automated Tools that Cost
The previous entries are available and free for all. The following are professional tools that you will have to pay for.
- NTOSpider from NT OBJECTives - Web application vulnerability scanner which I lead the development of.
- Appscan by Watchfire - Another Web application vulnerability scanner.
- Web Inspect by SpiDynamics - Yet another Web application vulnerability scanner.
This site does not condone malicious hacking of websites. The details, descriptions, tools and links provided are intended for auditing and educational purposes. Using this information for bad intent is, well… bad.