a4apphack

Its very rare to find out a good n effective web application security assessment tool and would make it almost impossible if you want it for free. After a long time of hunt, I found one; CAT – Context App Tool. Although its free, it offers a good GUI and powerful features along with the basic ones which comes with a every proxy available.

Features

There are a number of features which CAT has to enable a wide variety of testing to be conducted:

• Request Repeater – Used for repeating a single request
• Proxy – Classic Inline proxy
• Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc.
• Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified.
• Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls.
• SSL Checker – Request a specific page with various SSL ciphers and versions.
• Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc.
• Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer’s rendering engine.

Reasons to use CAT

There are a number of differences between CAT and currently available web proxies. Some key differences are:

• Uses Internet Explorer’s rendering engine for accurate HTML representation
• Supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes
• Integrated SQL Injection and XSS Detection
• Synchronised Proxies for Authentication and Authorisation checking
• Faster due to HTTP connection caching
• SSL Version and Cipher checker using OpenSSL
• Greater flexibility for importing/exporting logs and saving projects
• Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs
• The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
• Free!

Proxy & Authentication Checker

I generally use multiple browsers during web app assessments. This helps me to analyze the difference in the responses received from the server for same requests sent with different login credentials. This can also help me during the tests performed for horizontal/vertical privilege escalations. CAT listens to multiple ports at the same time, which means that you can use 2 browsers (or browser profiles) and direct the traffic to one proxy – CAT. CAT displays the traffic from different sources in different tabs.

While doing the authentication testing, we can login with the user having higher privilege in browser 1 and user with lower privilege in browser 2. Access various pages in browser 1 and identical requests are sent using the cookies stored in browser 2. CAT leaves us the response pairs behind for manual analysis.

SSL Strength Check

Why use SSLDigger/Open SSL if your proxy has built-in SSL strength checking feature.

Download:   (More Info here )