Today I am posting my opinion about the proxies that I have used on my pentests. I am going to focus on three of them since those are the ones that I use the most.
The tools:
When I usually perform external application tests I tend to use Fiddler, Burp Suite and an incredible tool that is called CAT (Context Application Tool). My take on these tools is that they are awesome and provide a great value to people that use them. Obviously, they all have there limitations but overall they help a lot (I cannot imagine person doing a web app test without using a web proxy of some kind). The following is the list of CONS and PROS that I see in each tool after using them for a long time.
Fiddler
MITM proxy for windows developed on .NET. This tool is great to just browse and understand applications. It allows you to look at all sessions being created and since it is developed over .NET will work with all web applications without problems when dealing with certificates or NTLMv2 authentication.
CONS:
- .NET = Windows (Please don't say MONO. I have not tested over Linux but when doing pentests want I don't want to waste time on functionality issues so I use two different VMs, one linux and one windows for my tests)
- Limited in functionality: No fuzzer included, limited plugins, and search engine is limited when you want to find specific patterns
- Cannot automatically scan
PROS
- Saves all requests and responses into sessions that you can later see for further analysis. Even if you need evidence that you forgot to take
- FREE!
- Plugins available that will also make your life easier
- Loading previous sessions is easy and fast no matter the amount of requests
Burp Suite
Most know tool. This has been out there forever. It started as a free tool and when it started to grow the developers started to charge users for specific functionality (PRO version). I don't thing this is bad since sometimes maintaining a tool like this will take a lot of effort and time. I will focus on the free version since that is what I use.
CONS
- It has happened to me that the tool does not works as expected when the web application uses NTLM authentication
- Limited functionality to send a large a mount of request with different parementers
- I feel that sometimes this tools is slower than the ones that I have seen. But I know CAT it is considerably faster and reliable sending large amount of requests
- The free version doesn't allow you to save sessions so if you close the proxy or if it crashes without saving a screen shoot or something that will help you to remind what were you testing you are screwed.(think that pentests go for more than one day)
- Personally, I hate the java GUI.
PROS
- Embedded spider with tree view
- Not dependent on the operating system, can run on windows and Linux
- Embedded decoder << great feature and really helpful!!
- Embedded sequencer for token or cookie tests
- Overall it is great tool with limitations when used on the free version... as expected
CAT
This tool came out not that long ago and in my opinions it is awesome. It is also developed over .NET and works like a charm almost all the time.
CONS
- .NET = Windows (Please don't say MONO again but feel free to try it)
- Has some problems when handling really long files on the fuzzer for the wordlists
- When fuzzing a lot of words (>10000) and saving the requests on the results window the tool will start to slow down due to memory consumption so you have to periodically
delete requests during large fuzzing or wait until it ends
- When loading previous sessions, if the session involves a lot of fuzzing the tool can just crash or not respond for a loooongg time.
PROS
- Embedded Fuzzer
- XSS, SQLi and CSRF scanner. Usually they work pretty well
- Saves all the sessions and allows you to review them later
- FREE!
- Fuzzer is really fast and allows a lot of customization with easy and straight
forward GUI
- Number of files to try while using the fuzzer (common folders, files, passwords, users, SQL, fuzzing)
My final take on this is that these three tools provide something different and good to users. In most cases they have to be used together while testing web applications since none of them will provide everything. Although I hate to say it the one that I like the most is CAT because of the fuzzing capabilities and because it is free, though I hate is .NET. I guess if I could use Burp Suite Pro capabilities for free and change the java GUI I will stick to that tool. However , I use the three of them in all my tests since I don't have any money or funding.
c4an.
No comments:
Post a Comment