Context App Tool (CAT) Version 1 has been released.
http://cat.contextis.com
CAT is a tool for manual web application penetration testing and includes the following features:
Request Repeater – Used for repeating a single request
Proxy – Classic Inline proxy
Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc.
Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified.
Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls.
SSL Checker – Request a specific page with various SSL ciphers and versions.
Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc.
Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer's rendering engine.
Addons – Freely accessible API/SDK to extend CAT with additional functionality.
Some highlights of CAT:
CAT uses Internet Explorer's rendering engine for accurate HTML representation
It supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no quotes
It offers integrated SQL Injection and XSS Detection
Advanced Authentication and Authorisation using Synchronised Browsing
Silverlight WCF Support
Faster performance due to HTTP connection caching
SSL Version and Cipher checker using OpenSSL
Greater flexibility for importing/exporting logs and saving projects
Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs
The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
Ability to extend CAT using Addons with publicly available documentation and sample code
MONO Support for Linux and OSX (Currently in Beta).
Scriptable fuzz cases.
It is totally free!
On Thu, 04 Aug 2011 01:45:16 BST, Context IS - Disclosure said:
CAT is a tool for manual web application penetration testing and includes t he following features:
Sounds at least potentially interesting. A few questions:
CAT uses Internet Explorer's rendering engine for accurate HTML representation
Is this optional/switchable? Might be nice to not use the actual IE render
engine if you're working on serving up a client-side exploit via XSS - that would
be shooting yourself in the foot then. ;)
MONO Support for Linux and OSX (Currently in Beta).
What render engine does it use for Linux/OSX? Or is this referring to using
MONO to talk from a Windows test box to a Linux/OSX target?
It is totally free!
What license?
Under native Windows, CAT will only use IE to render the HTML. I can see your point as to why you might not want to use IE and I will look into adding in a Gecko rendering option for the next version.
Under Mono it uses the Mono provided WebBrowser control, which rendering engine is used depends on the operating system's configuration e.g. Gecko or WebKit. For more details see:
http://www.mono-project.com/WebBrowser
The license can be see here:
http://www.contextis.co.uk/resources/tools/cat/download/Cat_EULA.txt
Cheers,
Mike
From: Valdis.Kletnieks@vt.edu [Valdis.Kletnieks@vt.edu]
Sent: 04 August 2011 15:35
To: Context IS - Disclosure
Cc: full-disclosure@lists.grok.org.uk; webappsec@securityfocus.com; websecurity@webappsec.org; owasp-all@lists.owasp.org
Subject: Re: [Full-disclosure] CAT Version 1 Released - Web App Testing Tool
On Thu, 04 Aug 2011 01:45:16 BST, Context IS - Disclosure said:
CAT is a tool for manual web application penetration testing and includes t he following features:
Sounds at least potentially interesting. A few questions:
CAT uses Internet Explorer's rendering engine for accurate HTML representation
Is this optional/switchable? Might be nice to not use the actual IE render
engine if you're working on serving up a client-side exploit via XSS - that would
be shooting yourself in the foot then. ;)
MONO Support for Linux and OSX (Currently in Beta).
What render engine does it use for Linux/OSX? Or is this referring to using
MONO to talk from a Windows test box to a Linux/OSX target?
It is totally free!
What license?
On Tue, Aug 9, 2011 at 2:34 AM, Context IS - Disclosure
disclosure@contextis.co.uk wrote:
Under native Windows, CAT will only use IE to render the HTML. I can see your point as to why you might not want to use IE and I will look into adding in a Gecko rendering option for the next version.
I attempted to use both the Windows registry IsDefaultRenderer=1 entry
and 'X-UA-Compatible: chrome=1' header in every response, but still
could not change the rendering engine in CAT (latest version) from IE
to ChromeFrame.
However, CAT has a proxy. It does not, however, include the feature to
"show response in browser" as does Burp -- which would allow you to
switch between browsers to see if the XSS works in one versus another.
Cheers,
Andre