De Achilles a Webscarab – Review rapido
Pues me tope con estas dos herramientas de las cuales quisiera hablar un poco (mas del tipo copy-paste pues ya son explicadas en sus respectivas documentaciones) con el fin de animar a otros a que les den una checada.
A grandes rasgos puedes checar los encabezados y POSTS que intercambias con los sitios que visitas, con esto puedes encontrar vulnerabilidades en el codigo de las paginas que realices… cosa que es genial, pues podriamos evitar inyecciones sql reformulando nuestros codes 😀 …
Rated #46 on “The Top 75 Security Tools 2003”
compiled by nmap creator Fyodor (See http://sectools.org/tools2003.html)
Platform: Windows (or UNIX via WINE)
Created and released by Robert Cardona of Systegra on Oct 13, 2000.
Concept by David Rhoades of Maven Security.
The first publicly released general-purpose web application security assessment tool. Achilles acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly. Though it was the first, it is no longer the best, and we recommend using Burp Suite, WebScarab, or Paros as they offer more features.
Achilles is a tool designed for testing the security of web applications. Achilles is a proxy
server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP
proxy will relay packets to and from a client browser and a web server. Achilles will
intercept an HTTP session’s data in either direction and give the user the ability to alter
the data before transmission. For example, during a normal HTTP SSL connection a
typical proxy will relay the session between the server and the client and allow the two
end nodes to negotiate SSL. In contrast, when in intercept mode, Achilles will pretend to
be the server and negotiate two SSL sessions, one with the client browser and another
with the web server. As data is transmitted between the two nodes, Achilles decrypts the
data and gives the user the ability to alter and/or log the data in clear text before
Note 1: Achilles does not verify any web servers’ certificates. Serving as a man-in-themiddle,
Achilles is vulnerable to man-in-the-middle attacks.
Note 2: The current version of Achilles doesn’t support host restrictions, so any user with
access to the port Achilles is running on can use it as a proxy.
Note 3: Even though Achilles can function as a proxy server, it is HIGHLY discouraged
to be used as such when not testing web applications.
OS: Windows 2000, Windows NT, Windows 98, Windows 95 with Winsock2
Web Browser: Tested with Netscape 4.75 and MSIE 5
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
There is no shiny red button on WebScarab, it is a tool primarily designed to be used by people who can write code themselves, or at least have a pretty good understanding of the HTTP protocol. If that sounds like you, welcome! Download WebScarab, sign up for the mailing list on the OWASP subscription page, and enjoy! You can read a brief tutorial to explain the basic workings.
WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
Training Movies for WebScarab >http://yehg.net/lab/pr0js/training/webscarab.php
Achilles > http://www.mavensecurity.com/Achilles.php