the evil tester's guide to http proxies tutorial
DESCRIPTION
A tutorial given at May TestNet 2013. An overview of out of the box Web Browsers, BurpSuite and FiddlerTRANSCRIPT
![Page 1: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/1.jpg)
The Evil Tester's Guide to HTTP Proxies
A Tutorial for TestNet May 2013
Alan Richardson@eviltester
www.eviltester.comwww.compendiumdev.co.ukwww.seleniumsimplified.com
@eviltester slides: http://unow.be/at/gtn_tute
![Page 2: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/2.jpg)
Logistics
● 09:30● xx:xx half hour break● 13:00
Only 3 hours!
1st Hour: Theory & Modern Browsers● 20 mins Intro, basic theory● 5 Mins 'Modern Browsers● 5 Mins Demo● 15 minutes browser exercise● 15 minutes debrief
2nd Hour: BurpSuite● 10 mins Introduction to proxies● 20 mins BurpSuite overview● 15 minutes BurpSuite Exercise● 15 minutes BurpSuite debrief and
questions
3rd Hour: Fiddler & End Notes● 15 mins fiddler overview● 15 minute Exercise● 15 minute debrief and questions● 10 minute end notes● 5 minutes Q&A
@eviltester slides: http://unow.be/at/gtn_tute
![Page 3: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/3.jpg)
Blurb: Evil Tester guide - HTTP proxiesI test a lot of web applications. I use proxy servers to interrogateand manipulate web traffic. So in this tutorial I want to introduceyou to the basics of proxy servers, using BurpSuite and Fiddler.
We will cover and go beyond the obvious interrogation and manipulationtraffic and also look at how to use autoresponders, custom rules andtraffic generators. The different capabilities of the tools and how touse them in combination.
And as a bonus we will look at the new features in modern browsersthat help you achieve some of the proxy benefits out of the box, forthose moments when you have to test unarmed.
As well as the tools I want to cover the thought processes and modelsthat help you get the best from the tools because "Form can followfeatures" and "Terrain can inform technique".
@eviltester slides: http://unow.be/at/gtn_tute
![Page 4: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/4.jpg)
Technical Web Testing: A Model
@eviltester slides: http://unow.be/at/gtn_tute
![Page 5: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/5.jpg)
The MORIM Loop
● Model● Observe● Reflect● Interrogate● Manipulate
@eviltester slides: http://unow.be/at/gtn_tute
![Page 6: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/6.jpg)
The MORIM Loop - Model
● Model○ Build a layered model of the
application functionality, flows, technology usage, etc.
● Observe● Reflect● Interrogate● Manipulate
@eviltester slides: http://unow.be/at/gtn_tute
![Page 7: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/7.jpg)
The MORIM Loop - Observe
● Model● Observe
○ At every layer, what can you see?○ Can you increase the depth of
observation. ○ Do you understand what you see?○ What else could you observe?
● Reflect● Interrogate● Manipulate@eviltester slides: http://unow.be/at/gtn_tute
![Page 8: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/8.jpg)
The MORIM Loop - Reflect
● Model● Observe● Reflect
○ Expand the model,○ Intent - for deliberate action○ Analyse the observations○ What does that imply? ○ How? Risks? What else?
When?● Interrogate● Manipulate@eviltester slides: http://unow.be/at/gtn_tute
![Page 9: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/9.jpg)
The MORIM Loop - Interrogate
● Model● Observe● Reflect● Interrogate
○ Deep dive into observed data○ Breakpoint○ Correlate data changes with state○ etc.
● Manipulate@eviltester slides: http://unow.be/at/gtn_tute
![Page 10: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/10.jpg)
The MORIM Loop - Manipulate
● Model● Observe● Reflect● Interrogate● Manipulate
○ Edit the data○ Change the state○ Edit the communication○ Change the environment context
e.g. speed, memory, etc.@eviltester slides: http://unow.be/at/gtn_tute
![Page 11: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/11.jpg)
The MORIM Loop - Utilisation
● Repeat ● Transpose - do the events in any order● Learn● Deliberately decide what to try next● Do it - take advantage of what happens
@eviltester slides: http://unow.be/at/gtn_tute
![Page 12: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/12.jpg)
During all the exercises; Consider:
Observation● What are you observing. What are you not
observing. What do you want to observe? Why?
Interrogation● What do you want to see in more detail?
How can you do that? Why?Manipulation
● What do you want to amend? How could you? Why?@eviltester slides: http://unow.be/at/gtn_tute
![Page 13: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/13.jpg)
Our Basic Web Technology Knowledge
@eviltester slides: http://unow.be/at/gtn_tute
![Page 14: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/14.jpg)
High Level Generic Architecture
<-HTTP->● Web Server● App Server● Database
● server side state● client side state● Cookie Management● Local Storage● HTML rendering● JavaScript Execution● etc.
● forms● XML● JSON● etc.
Browser ServerTraffic
@eviltester slides: http://unow.be/at/gtn_tute
![Page 15: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/15.jpg)
Introduction to Modern Browsers
@eviltester slides: http://unow.be/at/gtn_tute
![Page 16: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/16.jpg)
Modern Browsers
● Dev Tools● Observe Network Traffic● Interrogate & Manipulate
○ DOM○ Data - cookies, local storage
● Differing capabilities between browsers
"Don't get hung up on 'I need to test on BrowserX' - use them all, even while you focus on BrowserX"
@eviltester slides: http://unow.be/at/gtn_tute
![Page 17: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/17.jpg)
Quick Demo of Modern Browser
● Interrogate Dom?● Manipulate Dom?● Observe Cookies?
● Interrogate Cookies?● Manipulate Cookies?
● Observe Network Traffic?● Interrogate Traffic?● Manipulate Traffic?
@eviltester slides: http://unow.be/at/gtn_tute
![Page 18: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/18.jpg)
Augment Browsers
● Out of the box experience continually improves
● Use browser plugins to increase the functionality of the browser even further
@eviltester slides: http://unow.be/at/gtn_tute
![Page 19: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/19.jpg)
Gruyere - Cloud app to test against
A Google App Engine hosted application to learn security testing for common vulnerabilities.
Read the Instructions● http://google-gruyere.appspot.com/
Create a new instance● http://google-gruyere.appspot.com/start
@eviltester slides: http://unow.be/at/gtn_tute
![Page 20: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/20.jpg)
For local App Testing
● WebGoat○ http://code.google.com/p/webgoat/
Or anything from BitNamibitnami.org
![Page 21: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/21.jpg)
Modern Browser Exercise
1. Decide on a browser: IE, Firefox, Opera, Chrome
2. Find the Dev Tools in the browser3. Visit http://google-gruyere.appspot.com/start4. Explore and investigate the Browser
capabilities using this app5. Debrief in 15 mins
● What "Observe, Interrogate, Manipulate" capabilities did the browser have?
● What did you want them to have? ● Other thoughts?
@eviltester slides: http://unow.be/at/gtn_tute
![Page 22: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/22.jpg)
For full control, Use a Proxy...
@eviltester slides: http://unow.be/at/gtn_tute
![Page 24: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/24.jpg)
What is an HTTP Proxy?
● Sits between browser and server● route all requests through the proxy
Browser -> Request -> Proxy -> ServerBrowser <- Proxy <- Response <- Server
Https handled by 'man in the middle' certificate use.
@eviltester slides: http://unow.be/at/gtn_tute
![Page 25: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/25.jpg)
Why should a tester care?
● Learn○ HTTP○ JSON○ App Architecture
● Observe & Manipulate Traffic● Simulate Network Speeds● Simulate different browsers● Test new css and js without a release to
main site● Test extreme '4xx', '5xx' conditions
@eviltester slides: http://unow.be/at/gtn_tute
![Page 26: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/26.jpg)
When should you use it?
● Almost all the time
@eviltester slides: http://unow.be/at/gtn_tute
![Page 27: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/27.jpg)
When should you not use it?
● confirm a defect happens without the proxy● streaming?● long polling?
A proxy is invasive, and can impact your results. So you need to double check your results without the proxy.
But the value trumps the risk.@eviltester slides: http://unow.be/at/gtn_tute
![Page 29: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/29.jpg)
Proxies and their capabilities
@eviltester slides: http://unow.be/at/gtn_tute
![Page 30: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/30.jpg)
Proxies we will cover today
● BurpSuite● Fiddler
● Capabilites● Demos● Exercises
@eviltester slides: http://unow.be/at/gtn_tute
![Page 31: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/31.jpg)
Generic Testing Requirements
Traffic {Request, Response} CRUD
● Create - Generate new requests● Read - Observe Traffic
○ Requests○ Responses
● Update - ○ Manipulate Requests & Responses
■ Manually■ Automatically
○ Replay Requests● Delete - block requests or responses
@eviltester slides: http://unow.be/at/gtn_tute
![Page 32: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/32.jpg)
Configure Browser to use a Proxy
![Page 33: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/33.jpg)
Configure Browser to use a Proxy
● Chrome, IE all use the System Internet Settings
● Firefox and Opera can maintain proxy settings independently of system settings
![Page 34: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/34.jpg)
Configure Chrome to use a Proxy
● Chrome\Settings search for proxy● Use the normal system proxy settings● Chrome Incognito and normal mode share
proxy settings
![Page 35: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/35.jpg)
Configure Firefox to use a Proxy
● Firefox\Options○ Advanced\Network
■ Connection [Settings...]■ Manual proxy configuration:■ use value listed in Proxy\Options Listeners■ ignore the "No Proxy For"
● If you already configured IE or Chrome then you could use System Proxy Settings
![Page 36: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/36.jpg)
Configure Opera to use a Proxy
● Settings\Preferences○ Advanced\Network○ [Proxy Servers...]○ use config from Proxy\Options
● F12 can quickly toggle proxy on off once configured
![Page 37: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/37.jpg)
Configure IE to use a Proxy
● Config \ options○ Connections
■ Lan settings● Use Proxy Server
○ use details from Proxy\Options
![Page 38: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/38.jpg)
You may be asked about proxy certificate (BurpSuite portswigger)
● Adhoc - Add it as an exception● To remove exception
○ Firefox■ Options\Advanced\Encryption■ view certificates
● servers (PortSwigger)○ Chrome
■ Settings \ search for manage certificates○ Opera
■ Preferences● Advanced\Security● Manage Certificates...
○ IE■ Config \ Internet Options \ Content [Certificates]
![Page 40: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/40.jpg)
What is BurpSuite?
● Java based Proxy● Professional and Free License
○ Pro designed for security professionals○ Free version usually good enough for testing
● Book: "The Web Application Hacker's Handbook"
● http://portswigger.net/burp/download.html
@eviltester slides: http://unow.be/at/gtn_tute
![Page 41: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/41.jpg)
Basic Features For Testing
● Proxy● Spider● Repeater● Sequencer● Decoder● Comparer
@eviltester slides: http://unow.be/at/gtn_tute
![Page 42: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/42.jpg)
How to Install & Run
● Download the .jar file○ http://portswigger.net/burp/download.html
● Double click or "java -jar burpsuite_free_vx.x.jar" ○ where x.x is the version you downloaded
@eviltester slides: http://unow.be/at/gtn_tute
![Page 43: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/43.jpg)
BurpSuite Basics
● Tabbed GUI● Proxy\Options● Configure Browser● Intercept● Obeserve with History Tab● Repeater to replay and manipulate● Site Map● Spider● Decoder● Intruder - variety of params
@eviltester slides: http://unow.be/at/gtn_tute
![Page 44: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/44.jpg)
Exercise - explore tool and proxy capabilities
● 20 mins explore, 10 mins debrief● Use BurpSuite on guyere
○ Setup the proxy○ Config browser to point to browser○ Choose a site and browse○ View the Traffic○ View sitemap
■ visit pages you haven't been that sitemap found○ Repeat requests○ Tamper Traffic○ do any of the pages lend themselves to sequencing?
@eviltester slides: http://unow.be/at/gtn_tute
![Page 45: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/45.jpg)
Debrief
● Comments, Questions?
@eviltester slides: http://unow.be/at/gtn_tute
![Page 47: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/47.jpg)
What is Fiddler?
● .net based (v2 & v4)● http://www.fiddler2.com/● now owned by Teleric
@eviltester slides: http://unow.be/at/gtn_tute
![Page 48: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/48.jpg)
Obvious Differences
● Automatically hooks into Windows System Proxy○ IE & Chrome use by default without configuration○ This makes it good for beginners
● HTTPS decryption off by default○ Tools \ Fiddler Options
■ HTTPS tab ● Decrypt HTTPS traffic
@eviltester slides: http://unow.be/at/gtn_tute
![Page 49: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/49.jpg)
Fiddler Extensions
● www.fiddler2.com/fiddler2/extensions.asp○ Formatters○ Windows 8 "Metro"○ Android & iOS Certificate maker○ Request Differ○ SAZ Clipboard Util○ Geo spoofing○ Rules Editor○ Privacy Scanner○ Performance Tester Helper○ Stress Testing○ Security Testing - Watcher & Ammonite & X5s○ Fuzzing - intruder21○ etc.@eviltester slides: http://unow.be/at/gtn_tute
![Page 50: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/50.jpg)
Fiddler Basics
● Firefox Hook "Tools \ Monitor with Fiddler"● WebSessions Pane - History● Statistics Tab● Inspectors Tab● AutoResponder Tab● Composer Tab● Filters Tab● Timeline Tab● Config Options● Decode with TextWizard● Replay● Export Sessions
![Page 51: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/51.jpg)
Exercise - explore proxy functionality and compare with BurpSuite
● Any new functionality I didn't mention?● Which is easier?● Any missing functionality?● Can you chain proxies?
@eviltester slides: http://unow.be/at/gtn_tute
![Page 53: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/53.jpg)
Isn't this just Security Testing?
Yes, No?
Opinions?
@eviltester slides: http://unow.be/at/gtn_tute
![Page 54: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/54.jpg)
Observation & Manipulation
Comments on what you observed?● What didn't you observe?● What did you want to observe?● What could you not observe?
Comments on Manipulation?● What did you manipulate?● What did you want to manipulate?● What could you not manipulate?
@eviltester slides: http://unow.be/at/gtn_tute
![Page 55: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/55.jpg)
What makes a difference?
You can manipulate a whole bunch of things, why would you want to manipulate the:
● Header?● Body?● Request URI?● Params?● Payload?
@eviltester slides: http://unow.be/at/gtn_tute
![Page 56: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/56.jpg)
Inspiration from Form
What can this tool do? == New test ideas!
e.g.
● what does the autoresponder feature let me do?
● What could I use the save as HAR file for?● etc.
@eviltester slides: http://unow.be/at/gtn_tute
![Page 57: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/57.jpg)
Recommended For Self Study
@eviltester slides: http://unow.be/at/gtn_tute
![Page 58: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/58.jpg)
Videos & Courses
● Evil Tester Videos on Burp on Youtube○ www.youtube.com/watch?v=ft5MSmf42Kw○ www.youtube.com/watch?v=JmAk1OVwp-4
● ZAP○ www.youtube.com/watch?v=QG2RCZHMEkM○ www.youtube.com/user/psiinon?feature=watch
● Technical Web Testing 101○ http://unow.be/at/techwebtest101 ○ Free Online Course@eviltester slides: http://unow.be/at/gtn_tute
![Page 59: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/59.jpg)
Books
● The Web Application Hacker's Handbook○ www.amazon.com/exec/obidos/ASIN/1118026470○ www.amazon.co.uk/exec/obidos/ASIN/1118026470
● Debugging with Fiddler by Eric Lawrence○ www.amazon.com/exec/obidos/ASIN/1475024487○ www.amazon.co.uk/exec/obidos/ASIN/1475024487
@eviltester slides: http://unow.be/at/gtn_tute
![Page 60: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/60.jpg)
Proxies
● BurpSuite○ http://www.portswigger.net/burp/
● Fiddler○ http://www.fiddler2.com/fiddler2/
● zaproxy (Zed Attack Proxy)○ http://code.google.com/p/zaproxy/● https://twitter.com/zaproxy
@eviltester slides: http://unow.be/at/gtn_tute
![Page 61: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/61.jpg)
Apps to test against
● http://google-gruyere.appspot.com/part1○ http://google-gruyere.appspot.com/start
● https://hack.me/● http://demo.testfire.net/● WebGoat
○ http://code.google.com/p/webgoat/
● Lists of Apps to Test Against○ http://blog.taddong.com/2011/10/hacking-vulnerable-
web-applications.html
@eviltester slides: http://unow.be/at/gtn_tute
![Page 63: The Evil Tester's Guide to HTTP proxies Tutorial](https://reader035.vdocuments.us/reader035/viewer/2022081401/55662160d8b42a61238b4b69/html5/thumbnails/63.jpg)
Alan Richardson is an Independent TestConsultant based in the UK. He offers trainingand consultancy in Selenium WebDriver,exploratory and technical web testing.
● uk.linkedin.com/in/eviltester
Contact Alan for training andconsultancy tailored to your needs:
Blogs and Websites
● SeleniumSimplified.com● EvilTester.com● Testing Papers and Tools
○ CompendiumDev.co.uk
Twitter: @eviltester
Online Training Courses
● Technical Web Testing 101○ Unow.be/at/udemy101
● Intro to Selenium○ Unow.be/at/udemystart
● Selenium 2 WebDriver API○ Unow.be/at/udemyapi
Videos
youtube.com/user/EviltesterVideos
Books
Selenium Simplified
Unow.be/rc/selsimp