With the economy keeping security and QA budgets at a minimum, many people are turning to free tools to seek out flaws in their Web applications. I'm not a huge fan of freebie tools, but there's a small group of them that certainly serve a great purpose. Web proxy tools happen to fall into this category.
Web proxies serve as an intermediary between the browser and your Web system allowing you to manually analyze and manipulate applications. They make you the "man in the middle." Using a proxy, you'll be able to see and do things before your browser sends the HTTP requests to the application that aren't possible otherwise. You can do things like:
- Log HTTP and HTTPS traffic
- Change values in hidden fields
- Manipulate maximum field lengths
- Analyze and trick common authentication mechanisms
- Manipulate HTTP header and session information
The possibilities are endless because Web proxies allow you to literally step through entire interactions with an application just like you would when debugging source code within an IDE.
So which Web proxies should you use? It's really a matter of personal preference. Although I tend to use the Web proxies built into commercial Web vulnerability scanners most of the time, I often have a need to utilize the free ones. In my experience some are better – at least "friendlier" – than others. The two that I've found beneficial Burp Proxy and WebScarab. Once you download the proxy of your choice and start it up you just point your browser to the proxy port (typically port 8080 on localhost) and you're ready to roll.
You may wish play around with some of the triggers and configuration settings but you can often
do everything you need by just looking at each of the HTTP requests and responses. Figure 1 shows
the configuration settings in WebScarab.
Figure 1 – WebScarab Configuration Settings
As you can see, there are options for both client and server interceptions as well as specific HTTP methods to look for. Figure 2 shows Burp Proxy in action. Figure 2 – Burp Proxy capturing an HTTP GET request
As you can see, with the proxy you have access to the raw HTTP request along with options to look specifically at the HTTP headers or even the actual hex code. You can forward or drop the request as well as change request methods, send to other components of a Burp Suite application, and more. There's third proxy option called Paros Proxy. I've had mixed results with Paros but many others swear by it. As with most tools, try them all and just stick with what you're comfortable with and what works in your environment. Even with their funny names and some people's underestimation of their value, these Web proxies are serious security tools you don't want to overlook. Using a Web proxy along with tools such as the Firefox Web Developer and the Internet Explorer Developer Tools built into IE 8 you pretty much have all you need to do your manual Web security analysis. Spend some quality time in this area and you're nearly halfway home with your Web security testing.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.
This was first published in November 2009