From: Erin Carroll (amoeba@amoebazone.com)
Date: Thu Mar 13 2008 - 13:08:31 EST
I should say up front that there is no substitute for manual testing.
However, automated scanners do save you a hell of a lot of time for locating
the low-hanging fruit.
That said, there are times when I'm pen-testing complex web apps with
multiple tiers/branches that require specific valid input at several steps
to gain access to where a potential vulnerable field/page/form may exist
that I want to hit with fuzzy bad traffic. Manually scripting all this would
be a huge timesink and isn't very cost-effective. Some of the webapp
scanners do have some capability to do field population but it's not as
flexible as I'd like. For instance, Webinspect can "learn" an app and you
can specify what input to provide at various forms/prompts but there is no
real granularity. If I want to specify that on page1 to use Foo for a
username field but on pages 3-5 and their children I want to use Bar for all
username fields I have to do that manually. If I prepopulated the Username
field in WI with Foo it uses Foo for all username fields... unless I want to
run *another* scan from the Foo return as the starting point and run with
Bar from there forward.
What I would love to see is a tool which could allow for this kind of
granularity in field input. Anyone have ideas?
-- Erin Carroll Moderator, SecurityFocus pen-test mailing list amoeba@amoebazone.com "Do Not Taunt Happy-Fun Ball" -----Original Message----- From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Robin Wood Sent: Thursday, March 13, 2008 10:21 AM To: Sam Rakowski Cc: pen-test@securityfocus.com Subject: Re: Program to populate forms On 13/03/2008, Sam Rakowski <masterakowski@gmail.com> wrote: > On 12 Mar 2008 15:19:13 -0000, finight64@gmail.com <finight64@gmail.com> wrote: > > > I'm looking for a program to automatically fill in forms to create traffic on a web app for analysis. Does anyone have any suggestions or experiences? > > > Would that be 'good' traffic, what your program expects, or 'bad' > traffic (i.e. putting xyzzy for a zip code) Depends on what you want to test, the question was about creating traffic so I'd say good, valid traffic. If he wanted to test it then he'd put all sorts or stuff in there. Robin ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:27 EDT