Today I saw an interesting blog post from PortSwigger , finaly announcing new beta release of Burp-Suite . Reade details here . I`ve not got the chance to fully review new beta release but some known bugs I was aware of , are hopefully fixed . And Burp-suit now have it`s own integrated cookie & session analyzing tool , named as "Burp Sequencer" . "Burp Decoder" is another addition . Although a encode/decode tool was really missing in suite but I still prefer using IO-Active`s Morf for this purpose , among the Decoder .
There are many web-application auditing packages and suites out there. Skipping Burp , here is list of some of well-designed and usable ones :
There are many web-application auditing packages and suites out there. Skipping Burp , here is list of some of well-designed and usable ones :
- WebSarab & WebSaurab-NG by OWASP
- SPI-Toolkit by SPIDynamics ( now HP!)
- Suru by SensePost
- SPIKE-Proxy by Immunity
- ParosProxy by Paros
- ... { Add tens of other known personal suites here ! }
Based on nature of audited application , and depending on our plan on how to audit the web-application , #1 suite changes usually . For example , if you`re going to fuzz parameters SPI`s fuzzer is second to none . If you look for automated traffic mannipulation and data replacement while relaying traffic , Burp-Proxy is the best answer , and so on . Although we usually have all or most of these tools available in our tool-box , but there`s usually a suite that`s used more occasionally than others , and I`ve to say for me , Burp-Suite is the one !
There are two exceptions in mentioned list . SPI-Toolkit is a commercial suite, and SPIKE-Proxy is actually a web-application fuzzer more than auditing suite , although it have powerful features for manipulating traffic while relaying through it`s web-interface .
Time to leave office . till next post...
There are two exceptions in mentioned list . SPI-Toolkit is a commercial suite, and SPIKE-Proxy is actually a web-application fuzzer more than auditing suite , although it have powerful features for manipulating traffic while relaying through it`s web-interface .
Time to leave office . till next post...
No comments:
Post a Comment