Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Program to populate forms

from [Erin Carroll] Network Security [Permanent Link]
Subject: RE: Program to populate forms
Date: Thu, 13 Mar 2008 11:08:31 -0700 
I should say up front that there is no substitute for manual testing.
However, automated scanners do save you a hell of a lot of time for locating
the low-hanging fruit. 

That said, there are times when I'm pen-testing complex web apps with
multiple tiers/branches that require specific valid input at several steps
to gain access to where a potential vulnerable field/page/form may exist
that I want to hit with fuzzy bad traffic. Manually scripting all this would
be a huge timesink and isn't very cost-effective. Some of the webapp
scanners do have some capability to do field population but it's not as
flexible as I'd like. For instance, Webinspect can "learn" an app and you
can specify what input to provide at various forms/prompts but there is no
real granularity. If I want to specify that on page1 to use Foo for a
username field but on pages 3-5 and their children I want to use Bar for all
username fields I have to do that manually. If I prepopulated the Username
field in WI with Foo it uses Foo for all username fields... unless I want to
run *another* scan from the Foo return as the starting point and run with
Bar from there forward. 

What I would love to see is a tool which could allow for this kind of
granularity in field input. Anyone have ideas?


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba@amoebazone.com
"Do Not Taunt Happy-Fun Ball"




-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Robin Wood
Sent: Thursday, March 13, 2008 10:21 AM
To: Sam Rakowski
Cc: pen-test@securityfocus.com
Subject: Re: Program to populate forms

On 13/03/2008, Sam Rakowski <masterakowski@gmail.com> wrote:

On 12 Mar 2008 15:19:13 -0000, finight64@gmail.com <finight64@gmail.com>

wrote:



I'm looking for a program to automatically fill in forms to create

traffic on a web app for analysis. Does anyone have any suggestions or
experiences?



Would that be 'good' traffic, what your program expects, or 'bad'
 traffic (i.e. putting xyzzy for a zip code)


Depends on what you want to test, the question was about creating
traffic so I'd say good, valid traffic. If he wanted to test it then
he'd put all sorts or stuff in there.

Robin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: directory traversal vulnerability, Arian J. Evans
Next by Date:  RE: What do you guys think?, Nick Vaernhoej
Previous by Thread:  Re: Program to populate forms, Robin Wood
Next by Thread:  Re: Program to populate forms, James G. McIntyre
Indexes:  [Date] [Thread] [Top] [All Lists]