Thread: Web Hacking Toolkit--punter

Tweet

Web Hacking Toolkit

When doing a manual security assessment of a web application you generally only require a web browser and a local proxy server that allows you to trap and modify requests. Aside from those basic tools, there are a few others that come in handy. This page is dedicated to the tools I use, or that I find useful.
The Starting Team

* Mozilla FireFox - If your not using this browser for your normal browsing activity… you should. There are enough security problems with IE to encourage such a choice, and if you want to do any security hacking/auditing this will become an invaluable tool. One of the major benefits of FireFox comes in the form of the great number of extensions available. Here are some useful ones
o Web Developer - This plugin adds a toolbar full of useful tools for both web developers and web hackers alike.
o SwitchProxy - Quickly and easily switch between your local proxy server and direct connections.
o LiveHTTP Headers - This allows you to quickly view the header traffic to and from your browser without the need for connecting to a local proxy server
o User Agent Switcher - This plugin allows you to quickly and easily change the User Agent string sent to the webserver. Sometimes apps are designed to generate different output based on the browser type and this could result in the execution of a different chunk of code.

*
o My full FireFox extensions list - There are additional extensions I use, but they don’t really belong in this list.
* Paros Proxy - This is a local proxy server that allows you to have your own man in the middle to use for recoding the full traffic between your browser and the web server. Paros allows you to “trap” the requests and responses in a way that you have to approve each and are able to modify any of the traffic before it gets to its intended destination. Note: Requires a working Java environment.
* ntoinsight and ntoweb - ntoinsight is a great crawler that will inventory the site and generate a cool report of the attackable locations on the site. Adding ntoweb allows it to execute the nikto checks and add the findings to the report.
* Cross Site Scripting cheatsheet - This appears to be the definitive list of ways to accomplish XSS and work around various input validation or complicated ways to make sure the resulting injection accomplishes what you want.


Often Benchwarmers, but good to have around

* Burp Proxy - While I prefer Paros for my own use, Burp Proxy is a great tool and is actually designed more specifically for web app hacking. Note: Requires a working Java environment.
* Burp Suite - The Burp Suite, which includes the Burp Proxy is a complete set of tools for doing attacks. It includes the following Burp tools: proxy, spider, intruder and repeater. Note: Requires a working Java environment.
* DSniff (for Windows) - Old school spoofing, intercept and monitoring communication tools.
* Ettercap (for Windows) - Similar to DSniff, but more user-friendly.
* LibWhisker - Perl library that provides functions for manipulating HTTP and HTML. Can be used to create your own hacking scripts.
* Nikto - Known vuln web server and application scanner (uses LibWhisker).
* Stunnel - Allows you to use any normal hacking script that works over HTTP but not HTTPS. Stunnel can handle the encryption layer and tunnel the traffic.
* NetCat (for Windows) - Known as “The TCP/IP swiss army knife”. This is just a generally useful networking tool.


Other lists of tools

* Top 75 Security Tools by Insecure.org - A great list of web app sec and general network sec tools.