Dr. Drew Hwang, CIS, Cal Poly Pomona
Home
101
WDD
ECOMM
SWA
SP
Secure Web Development
Home
Basics
Offense
Defense
SDLC
Code
Access
Parameter
Perimeter
Browser
Industry
Resource
Offense
Anatomy of Attacks
Ethical Hacking Tools
OWASP Top 10
Introduction
v.2007
v.2010
v.2013
Other Models
WASC (V2.0)
MS Threat Model
One More Viewpoint
Print
Ethical Hacking Tools
Hacking tools, if used properly and legally, are mostly tools used for web testing and debugging. Thus, they are sometimes called "ethical hacking tools".
3 Ways of Hacking Web Applications
GUI-based Hacking: Using the GUI of browser or its extensions, directly manipulating the applications.
URI Hacking: Tampering with the URL.
HTTP Hacking: Tampering with HTTP elements such as methods, headers, and body not contained in the URL.
Ethical Hacking Tools
The Web Browsers
The web browser is the basic tool to perform web applications attack, because it is the designated, end-user oriented front-end that communicates with the back-end.
The attack is done through tampering the URL in the address bar.
There are two drawbacks:
Some browsers are designed to trim user URL from behind-the-scenes. For instance, both IE and Firefox strip out dot-dot-slashes.
The contents of PUT requests cannot be manipulated directly from the address bar.
Browser Extensions
They are lightweight-add-ons to web browsers that enable HTTP analysis and manipulation.
They are not the type of browsers plug-ins (e.g., Explorer Bar, Flash, etc.) that extends the functionalities of the interface.
For example:
Firefox add-on: FiddlerHook by telerik
IE plug-ins: TamperIE by Bayden Systems
Web Hacking Toolkit at Mightyseek.com
HTTP Proxies
They are stand-alone programs (not plug-ins) that run as a local HTTP service to intercept HTTP/S communications and enable the use to analyze or tamper with the data before submitting.
They are capable of analyzing and tampering with non-browser HTTP clients.
Burp Suite, a Java application, is a popular HTTP proxy that contains different tools, such as a proxy server, a web spider, an intruder and a so-called repeater, with which requests can be automated.
Demo
Download Burp Suite
How To Install And Configure Burp Suite With Firefox
Getting Started With Burp Suite
Command-line Tools
They are good for scripting and iterative attacks and they can work on the data packets, but require knowledge of proprietary command language.
List of Tools
SQL Injection
SQL Power Injector
Bobcat
Absinthe
SQLInjector
NGS Software database tools
Cross-Site Scripting
RSnake's XSS Cheat Sheet
XSS-Proxy
IE Extensions
TamperIE
IEWatch
IE Headers
IE Developer Toolbar
IE 5 Powertoys for WebDevs
Firefox Extensions
LiveHTTP Headers
Tamper Data
Modify Headers
HTTP/S Proxy Tools
Paros Proxy
WebScarab
Fiddler HTTP Debugging Proxy
Burp Intruder
WatchFire PowerTools
ProxMon
ratproxy
Command-line HTTP/S Tools
cURL
Netcat
Sslproxy
Openssl
Stunnel
Sanboxes
NTO Hackme Test
Web Authentication
Brutus AET2
Hydra
WebCracker
NTLM Authentication Proxy Server (APS)
XML Web Services
WebService Studio
WSDigger
SoapClient.com
XML eXternal Entity (XXE) Attack
XPath Injection
"
Blind XPath Injection
"