Context App Tool (CAT) Version 1 has been released. http://cat.contextis.com CAT is a tool for manual web application penetration testing and includes the following features: - Request Repeater – Used for repeating a single request - Proxy – Classic Inline proxy - Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc. - Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified. - Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls. - SSL Checker – Request a specific page with various SSL ciphers and versions. - Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc. - Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer's rendering engine. - Addons – Freely accessible API/SDK to extend CAT with additional functionality. Some highlights of CAT: - CAT uses Internet Explorer's rendering engine for accurate HTML representation - It supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no quotes - It offers integrated SQL Injection and XSS Detection - Advanced Authentication and Authorisation using Synchronised Browsing - Silverlight WCF Support - Faster performance due to HTTP connection caching - SSL Version and Cipher checker using OpenSSL - Greater flexibility for importing/exporting logs and saving projects - Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs - The ability to repeat and modify a sequence of requests (particularly useful in SSO testing) - Ability to extend CAT using Addons with publicly available documentation and sample code - MONO Support for Linux and OSX (Currently in Beta). - Scriptable fuzz cases. - It is totally free!

On Thu, 04 Aug 2011 01:45:16 BST, Context IS - Disclosure said: > CAT is a tool for manual web application penetration testing and includes t he following features: Sounds at least potentially interesting. A few questions: > - CAT uses Internet Explorer's rendering engine for accurate HTML representation Is this optional/switchable? Might be nice to *not* use the actual IE render engine if you're working on serving up a client-side exploit via XSS - that would be shooting yourself in the foot then. ;) > - MONO Support for Linux and OSX (Currently in Beta). What render engine does it use for Linux/OSX? Or is this referring to using MONO to talk from a Windows test box to a Linux/OSX target? > - It is totally free! What license?

Under native Windows, CAT will only use IE to render the HTML. I can see your point as to why you might not want to use IE and I will look into adding in a Gecko rendering option for the next version. Under Mono it uses the Mono provided WebBrowser control, which rendering engine is used depends on the operating system's configuration e.g. Gecko or WebKit. For more details see: http://www.mono-project.com/WebBrowser The license can be see here: http://www.contextis.co.uk/resources/tools/cat/download/Cat_EULA.txt Cheers, Mike ________________________________________ From: Valdis.Kletnieks@vt.edu [Valdis.Kletnieks@vt.edu] Sent: 04 August 2011 15:35 To: Context IS - Disclosure Cc: full-disclosure@lists.grok.org.uk; webappsec@securityfocus.com; websecurity@webappsec.org; owasp-all@lists.owasp.org Subject: Re: [Full-disclosure] CAT Version 1 Released - Web App Testing Tool On Thu, 04 Aug 2011 01:45:16 BST, Context IS - Disclosure said: > CAT is a tool for manual web application penetration testing and includes t he following features: Sounds at least potentially interesting. A few questions: > - CAT uses Internet Explorer's rendering engine for accurate HTML representation Is this optional/switchable? Might be nice to *not* use the actual IE render engine if you're working on serving up a client-side exploit via XSS - that would be shooting yourself in the foot then. ;) > - MONO Support for Linux and OSX (Currently in Beta). What render engine does it use for Linux/OSX? Or is this referring to using MONO to talk from a Windows test box to a Linux/OSX target? > - It is totally free! What license?

On Tue, Aug 9, 2011 at 2:34 AM, Context IS - Disclosure <disclosure@contextis.co.uk> wrote: > Under native Windows, CAT will only use IE to render the HTML.  I can see your point as to why you might not want to use IE and I will look into adding in a Gecko rendering option for the next version. I attempted to use both the Windows registry IsDefaultRenderer=1 entry and 'X-UA-Compatible: chrome=1' header in every response, but still could not change the rendering engine in CAT (latest version) from IE to ChromeFrame. However, CAT has a proxy. It does not, however, include the feature to "show response in browser" as does Burp -- which would allow you to switch between browsers to see if the XSS works in one versus another. Cheers, Andre