web security tools - hacking-lab...fiddler httpanalyze opera java script debugger tel.+41 55-214 41...

Tel.+41 55-214 41 60

Fax+41 55-214 41 61

team@csnc.ch

www.csnc.ch

Compass Security AG

Glärnischstrasse 7

Postfach 1628

CH-8640 Rapperswil

Web Security Tools

Web Security Wargames

© Compass Security AG Slide 2www.csnc.ch

Howto analyze Web Applications

Inspection Proxies

Paros

Burp

Web Scarab

Charles Proxy

Firefox

Firebug

Tamper Data | LiveHttpHeader | SwitchProxy | Add N Cookie Editor

Internet Explorer

Fiddler

HttpAnalyze

Opera

Java Script Debugger

Tel.+41 55-214 41 60

Fax+41 55-214 41 61

team@csnc.ch

www.csnc.ch

Compass Security AG

Glärnischstrasse 7

Postfach 1628

CH-8640 Rapperswil

Inspection Proxy

© Compass Security AG Slide 4www.csnc.ch

Inspection Proxies

Introduction

HTTP/S request

modification tool

Is a HTTP proxy

Features

HTTPS traffic inspection

by terminating HTTPS

connection

On the fly request

modification based

on regular expressions

Record and replay of whole

HTTP requests

Browser

InspectionProxy

Server

Console

Request Repository

RegularExpressions

HTTP/S

HTTP/S

© Compass Security AG Slide 5www.csnc.ch

Configure Proxy in Browser

Inspection Proxy

Start browser

Configure your

Firefox by plug-in

or manually

Modify proxy settings

http 127.0.0.1:8080

https 127.0.0.1:8080

Press OK or Apply button to

activate settings

© Compass Security AG Slide 6www.csnc.ch

Proxy:Paros

Usage

Switch to the 'Trap‘ pane

Tick the 'Trap Request' checkbox to intercept requests

Change the requests parameters directly in the 'Header' or in the 'Body' text

area

Click 'Continue' to release the modified request

© Compass Security AG Slide 7www.csnc.ch

Proxy:Paros

Header Auto Replacement

Switch to the 'Filters' pane

Check the 'ReplaceRequestHeader' box

Click the 'ReplaceRequestHeader' button, insert your regular expression and

activate it

© Compass Security AG Slide 8www.csnc.ch

Proxy:Burp Suite

© Compass Security AG Slide 9www.csnc.ch

Proxy:Charles Proxy (Commercial)

© Compass Security AG Slide 10www.csnc.ch

Proxy:Web Scarab

Tel.+41 55-214 41 60

Fax+41 55-214 41 61

team@csnc.ch

www.csnc.ch

Compass Security AG

Glärnischstrasse 7

Postfach 1628

CH-8640 Rapperswil

Firefox Extensions

© Compass Security AG Slide 12www.csnc.ch

Firefox::LiveHttpHeader Plugin

© Compass Security AG Slide 13www.csnc.ch

Firefox::Tamper Plugin

© Compass Security AG Slide 14www.csnc.ch

Firefox::Firebug Plugin

© Compass Security AG Slide 15www.csnc.ch

Firefox:Cookie Editor Plugin

Tel.+41 55-214 41 60

Fax+41 55-214 41 61

team@csnc.ch

www.csnc.ch

Compass Security AG

Glärnischstrasse 7

Postfach 1628

CH-8640 Rapperswil

System Tools for Monitoring

© Compass Security AG Slide 17www.csnc.ch

HTTP Analyze (Commercial)

© Compass Security AG Slide 18www.csnc.ch

Fiddler (Free Microsoft Tool)

Tel.+41 55-214 41 60

Fax+41 55-214 41 61

team@csnc.ch

www.csnc.ch

Compass Security AG

Glärnischstrasse 7

Postfach 1628

CH-8640 Rapperswil

Web Scanner

© Compass Security AG Slide 20www.csnc.ch

Acunetix (Commercial)

© Compass Security AG Slide 21www.csnc.ch

Acunetix Firefox Plugin

Tel.+41 55-214 41 60

Fax+41 55-214 41 61

team@csnc.ch

www.csnc.ch

Compass Security AG

Glärnischstrasse 7

Postfach 1628

CH-8640 Rapperswil

Landing Page

© Compass Security AG Slide 23www.csnc.ch

What is a landing page

Hacking-Lab staff members play the role of the victim

They will click on an URL you provide

Therefore, you should have your own web server with you, a web

server on your local computer, a landing page

Please take a webserver with you

© Compass Security AG Slide 24www.csnc.ch