16Mar A Web Application Hacker’s Toolkit
Turning Firefox into a WA assault kit was a success, tens of thousands of unique site views and it got to the front page on various social bookmarking sites. So, I thought of doing a similar post - but this time I’m gonna list tools, not extensions that should be in every web application hacker’s toolkit.
In my previous post I said “mark my words, these [tools] will not turn you into a security professional just because you use them; you will still need knowledge. With knowledge comes power and with great power comes great responsibility, remember that!”, and the same applies to this post.
The tools listed in this post can be dangerous, they may cause destruction, pain and death. I do only provide this list for educational purposes, in hope that they will be useful.
Tools suites:
These tools are complete suites and will provide you with the most essential tools that will ease and speed up your mapping and analysis of an web application. They works as intercepting proxies so you will need to set up your browser to tunnel all requests through them. Read more about them at their respective websites.
“Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.”
“[...] evaluate the security of [...] web applications. It is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.”
“WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.”
“Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine.”
General Scanners:
These tools performs automated vulnerability scans of web applications. They can test many pages for a lot of flaws in a short time. They are however not as intuitive or as flexible as yourself geared up with knowledge as they operate on syntax and they can cause destruction, pain and death if you use them incorrectly - you have been warned.
“Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).”
“Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network”
“Wapiti allows you to audit the security of your web applications. It performs “black-box” scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.”
SQL-injection scanners:
Database driven SQL-backends are the most popular way of storing information for dynamic websites at the moment and SQL-injection is probably the most common attack method towards web applications at the moment, these tools will help you find and exploit SQL-injection vulnerabilities.
“SQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn’t need to reverse engineer the original SQL request (using only function calls).”
“SQLIer takes an SQL Injection vulnerable URL and attempts to determine all the necessary information to build and exploit an SQL Injection hole by itself, requiring no user interaction at all (unless it can’t guess the table/field names correctly). By doing so, SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites.”
“SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries. A walkthrough of using SQLBrute can be found on Justin Clarke’s personal blog.”
“Absinthe is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection. Absinthe does not aid in the discovery of SQL Injection holes. This tool will only speed up the process of data recovery.”
“Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.”
“It’s a blind SQL injection tool developed in Perl. It lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.”
XSS-Scanners/Testers/Misc:
Cross-Site Scripting vulnerabilities is as of today one of the most common vulnerabilities in web applications. This category contains everything from scanners to cheat-sheets.
“Springenwerk is an [open source] Cross Site Scripting (XSS) security scanner, written in Python.”
“An online tool with the ability to test XSS-injections at remote target sites and a database over the most common XSS-injections.”
“The goal of this script is to allow users to easily test any web for cross-site-scripting flaws. The script aims to do this by providing an easy to use menu by any form. It should be noted that although I may refer only to forms for the rest of the description, the script does also allow the user to test the current variables in the url bar for cross site scripting flaws.”
“Note from the author: XSS is Cross Site Scripting. If you don’t know how XSS (Cross Site Scripting) works, this page probably won’t help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.”
Password Related Tools:
This section includes, but are not limited to password-guessing tools and hash-crackers. They are lame, and the reason I’ve published them is because of the fact that they can be useful for security auditing a website.
“Jkain is an extremely fast MD5-cracker written in Java by Tim Jansson, it can crack the hash of the password “Fgpyyih804423″ in just one second and has a average cracking speed of 4-5 hashes per second. It has an success ratio about 3/4 on “normal” DB dumps from sites.”
“John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), Windows, DOS, BeOS, and OpenVMS. [...]“
“THC-Hydra - the best parallized login hacker: for Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support and is part of Nessus.”
Other:
Tools that doesn’t fit into any other category.
“Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol [...] it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.”
Curl:
“curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos…), file transfer resume, proxy tunneling and a busload of other useful tricks.”
Nmap:
“Nmap is a [...] utility for network exploration or security auditing. [...] useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. [...] determine what hosts are available on the network, what services [...] those hosts are offering, what operating systems [...] they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.”
“WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.”