Web application security - the fast guide 1.1

Chapter 8 - Attack Tools   P a g e | 167 Information are collected through interception discovery and spider tools to widen the attack surface by knowing more about the navigational structure and available functionalities and parameters depending on site map and the interception proxy history. Collected information are used to enhance he scenario used by scanners, fuzzers and token analyzers to detect and probe vulnerabilities. 8.5 Stand-alone tools Normally standalone tools that helps in intercepting the HTTP web traffic are named as HTTP proxies. The capture is achieved through embedding a service available on a local TCP port. All HTTP based traffic is redirected through the service, in that way the service works as man in the middle that can tamper any http session that passes it. In general browser extension are better to deal with browser based traffic because it can deal with https also as it embeds the certificate info. But from the other hand http proxy (standalone) can handle the HTTP requests sent by non- browser client like mobile apps. Some examples about HTTP proxies are:  Paros proxy: java based free tool includes HTTP proxy, web vulnerability scanner and site crawling modules.The tool handles HTTPS transparently and allow trapping requests tampering and resending the request.it is considered as one of the reliable stable security tools. Figure 61:paros interface

Web application security - the fast guide 1.1 | Page 167