Web application security - the fast guide 1.1 | Page 167
Chapter 8 - Attack Tools
P a g e | 167
Information are collected through interception discovery and spider tools
to widen the attack surface by knowing more about the navigational
structure and available functionalities and parameters depending on site
map and the interception proxy history.
Collected information are used to enhance he scenario used by scanners,
fuzzers and token analyzers to detect and probe vulnerabilities.
8.5 Stand-alone tools
Normally standalone tools that helps in intercepting the HTTP web traffic are
named as HTTP proxies.
The capture is achieved through embedding a service available on a local TCP
port. All HTTP based traffic is redirected through the service, in that way the
service works as man in the middle that can tamper any http session that passes
it.
In general browser extension are better to deal with browser based traffic
because it can deal with https also as it embeds the certificate info. But from the
other hand http proxy (standalone) can handle the HTTP requests sent by non-
browser client like mobile apps.
Some examples about HTTP proxies are:
Paros proxy: java based free tool includes HTTP proxy, web vulnerability
scanner and site crawling modules.The tool handles HTTPS transparently
and allow trapping requests tampering and resending the request.it is
considered as one of the reliable stable security tools.
Figure 61:paros interface