[WEB SECURITY] Log requests and reply it again automaticall

steve jensen sjensen1207 at hotmail.com
Fri Jan 11 12:02:29 EST 2008


BurpSuite (Repeater or Intruder) can do exactly what you are asking.

You can provide your own "Fuzz List" to the Burp Intruder to have it test for various vulnerabilities, such as XSS and SQLi.
The only SQLi specific tool I have found that is worth actually using is SPI Dynamics SQL Injector, but I believe it's only available in the toolkit purchased with WebInspect.



Date: Fri, 11 Jan 2008 14:34:52 +0800
From: gunblad3 at gmail.com
To: gpaharenko at gmail.com
CC: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Log requests and reply it again automaticall

It is possible to write BeanShell scripts for WebScarab to perform what you're looking for, maybe you could look in that direction?

Ray

On Jan 11, 2008 3:13 AM, Gleb Paharenko <
gpaharenko at gmail.com> wrote:
Hi.

I've been researching a simple task:


record all raw user requests to the server with post data and headers.
Then repeat them, perhaps modifying some parameters like session id.
It could be useful to test if some actions which were recorded under

privileged account is available under unprivileged account.

Tools like Selenium or other browser oriented staff which logs clicks
to buttons are unusable, because in unprivileged interface this
buttons could not exists, however direct post to url can work.


I've checked WebScarab, BurpSuite, Paros, w3af (spiderMan plugin)
and did not found any resoanble solution. Whith first three of them
I've been able to manually repeat a request, however for site with

hundreds links is is time consuming.

The only way to how automate this process, was exporting messages from
Paros. Then some scripting to get requests, modify session id, repeat
them again to server and scan by eyes though answers. It was several

times faster
than manual requests from graphical interface of these tools.

Question:
 Is it possible to do this simple task with some tool to  minimize
scripting and not invent a wheel.
 Is there a good command line XSS,SQLi checker which can read raw

requests with marked parameters to fuzz (like in burp suite), fuzz the
url, analyze responces to find problems.

w3af seems a good tool, however I've not run deep inside it yet. If it
can do all mentioned above stuff, point me please to right plugins.

Sure that there should be a discover plugin which can just read raw
request, but I have not found it!

Thanks all.


--
Best regards.
Gleb Pakharenko.

http://gpaharenko.livejournal.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec


Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:

http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




_________________________________________________________________
Share life as it happens with the new Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080111/5de2b3fc/attachment.html>


More information about the websecurity mailing list