Jonathan Wilkins: ScarabMon - Automating Web Application Penetration Tests - a podcast by Jeff Moss

"ScarabMon is a new tool and framework for simplifying web application pentests. It makes the process of finding many common webapp flaws much easier. The user simply navigates the target site while using the WebScarab proxy and ScarabMon constantly updates the user with information on discovered flaws.

ScarabMon is written in Python and all code and modules will be released at the conference.

ScarabMon is alseasily extensible, with useful checks often only requiring 5-10 lines of Python code.

I wrote ScarabMon because I couldn't find anything like it.

Historically the standard web proxies have been @Stake's WebProxy (which is totally unavailable anymore as Symantec killed it after the acquisition), SpikeProxy and WebScarab. Those have have recently been joined by twother apps, WebScarab-NG and Pantera.

The latter are not ready for serious usage yet. Pantera development seems thave stalled and WebScarab-NG is missing major features, though it shows the most promise. The latest date on any of the SPIKEProxy files is from 2003.

Sbasically everyone uses WebScarab for web application pen tests.

WebScarab is obnoxious tprogram for, as you have twrite dozens of lines of Java code (BeanShell) for the simplest tasks. BeanShell is alsoften unstable.

ScarabMon is currently designed twork with WebScarab, but could be ported twork with any of the above should the need arise. Instead of acting as a proxy, it just monitors the output of the proxy and opportunistically performs tests. Some tests are things people have seen before in other tools (like finding directories that support PUT) and others aren't anything
I've seen in any other tool such as finding values that were set as cookies over SSL that later wind up as a query string parameter.

Further episodes of Black Hat Briefings, Europe 2007 [Audio] Presentations from the security conference.

Further podcasts by Jeff Moss

Website of Jeff Moss