Java Reference
In-Depth Information
Figure 12.5
Screenshot of Mozilla Firefox extension tamperData.
here are several proxies on the market today, some free and some commercial. We will be
using Burp Suite Professional
*
to explain certain concepts of Web application security testing.
Burp Suite Professional is a commercial application, but it also has a free version, without the
vulnerability-scanning tool. Some of the other proxies are OWASP's
WebScarab
,
Paros
, and the
Mozilla Firefox extension
TamperData
(see Figure 12.5), among others.
12.1.2.2 Generic Security Assessment Tools
here are a variety of other tools that are useful in performing Web application security assess-
ments. Some of them are the following:
Network monitoring tools
—Network monitoring tools are useful in sniing traic between cli-
ent and server. Tools like Wireshark and TCPDump may be used to perform this activity.
Network port scanning tools
—Network port scanning tools provide a great deal of input by
identifying open ports and the services running behind these ports. For instance, port 3306
is usually a MySQL database port. Knowledge of this can provide the tester with a greater
edge to penetrate the Web application's security. Nmap and Nessus are some of the tools that
may be used to perform port scanning.
Reconnaissance tools
—here are several tools that provide information about the services
and OS details that host a Web application. Some of these tools glean information about the
Web server hosting the Web application, the type of SSL certiicate used, and so on.
*
We have used Burp Suite Professional v 1.3 Beta to demonstrate some of the testing techniques in Chapter
12.
Search WWH ::
Custom Search