Java Reference
In-Depth Information
Figure 12.1
Burp Suite, a Web application proxy's spidering feature.
Figure 12.2
SSL support for Web application proxy.
in a tabular view to make it easy for the tester to view and modify the parameters. Hidden
parameters are also visible in the case of the Web application proxy. Trapping requests and
responses are especially useful, because users can bypass JavaScript validation of user input
and intercept the information being sent to the server. Proxies also have functionality that
converts strings into diferent encoding formats including Base64, SHA-1, and MD5,
among others. Figure 12.3 is a screen capture highlighting the trapping of HTTP requests
and responses.
Scanning
—Some Web application proxies like Burp Suite Professional and Paros also pro-
vide Web application vulnerability scanners to perform automated testing against the Web
application. Automated vulnerability assessment methods in combination with manual
methods are necessary to complete a comprehensive Web application security assessment.
It is essential to have the proxy updated for the latest version, as there are constantly evolv-
ing attack vectors for Web applications. Figure 12.4 is a screen capture that illustrates the
automated Web application vulnerability assessment capability of a Web application proxy,
Burp Suite Professional.
Search WWH ::
Custom Search