Web security practices (1) Common http-based architecture analysis tools
"When you want to do something better, you must first sharpen the tool." in Section 1, we are familiar with commonly used tools. The subsequent sections will also discuss how to write the details of these tools by ourselves.
1.1http extension tool.
(1) TamperIE. This is a browser helper object from the Bayden system. It is very simple. There are only two options -- tamper with GET and/or POST. When we submit such a request, the tool will automatically block the submission. We can view and modify the submitted information. This is something that cannot be done simply by using the IE Address Bar.
After the installation is complete, we will see it at IE's location.
Next is simple configuration.
We can select either one or all of them. When we select the corresponding option and access the relevant page through ie, the information will be truncated.
Here we can see the relevant header information and submitted form information and cookies. the username and password of my mailbox are clear at a glance. Of course, we can modify the relevant parameters at this time before submitting. However, it does not display the details of the web response.
(2) IEwatch and IEHeaders provide similar functions. Can view the sent and received information, but cannot tamper with the information.
(3) HttpWatch Professional. The current version is 4.1.26. It is a powerful webpage data analysis tool that allows you to view the http data of the current webpage for debugging, of course, you can also use it to do other things, such as capturing flash addresses. do you want to know how to interact with the server data when using GMail or any AJAX webpage? With this plug-in, you can see everything at a glance.
(4) LiveHttpHeaders. This is a FireFox extension tool. It can display the original http/S or each request/response. Its replay feature also allows data tampering.
(5) TamperData. Is a FireFox extension that allows you to track and modify HTTP and Https requests, including request headers and POST parameters.
(6) Modify Headers. FireFox extension tool. It is more suitable for Permanent modification.
1.2 command line tool
(1) Netcat. It helps us export the original input and output of network communication to the command line. Let's look at the example below.
(2) curl. Is a multi-platform command line tool. You can operate on HTTP and https. Curl is very powerful when you need to compile scripts for iterative analysis.
1.3 http proxy.
For simple http analysis, we prefer browser proxy because it is simple and quick. Http Proxy tools usually provide us with more diverse functional options. Including http proxy, network crawling, session ID analysis, automatic script interface, fuzzy testing tool, decoding, and other functions. Good tools such as Paros and OWASP WebScarab. We will rarely use the agent tool, so we will not detail it in detail.
1.4 scan tool
Scanning tools are essential for other types of attacks. They are generally divided into port scanning and vulnerability scanning.
1. Common Port scanning tools: ScanPort, Angry IP Scanner, Advanced Port Scanner, and Port scanning in linux, such as nmap and nwatch.
2. vulnerability scanning tools. There are Metasploit Framework, Core Impact, Canvas series security platforms, as well as traditional scanning tools such as xscan.
1.5 Monitoring and sniffing tools
This is not the content we should focus on and practice in our entire practice. However, the ultimate goal of web attacks is the server, so effective use of various resources can get twice the result with half the effort.
This tool will not be introduced, but will be used later.
1.6 programming tools
Because one of the main contents of my practical series is programming related tools and automating some manual processes. I will use vs2005/2008 for my program. If you want to work together or write in a language that you are good at, prepare your favorite tools.
The tool is briefly introduced. In the second section, we will discuss the comprehensive application of these tools for web analysis. In section 3, you will learn how to compile your own analysis tools. I hope more people will join us.