Mangle available for download

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

Hi folks,

I've mentioned a few times that I have been developing a program to (re)view
web application traffic.

You can get it at http://mysite.mweb.co.za/residents/rdawes/homepage.html.

Features:

Mangle proxy

 - Acts as an HTTP/HTTPS proxy (fakes a connection to the remote SSL server)
 - Records a summary of every request that goes through the proxy to a log
file.
 - Records the detail of every request and response to individual files.
 - uses perl LWP objects internally, and can dynamically execute a
modification function on every (or selected) requests and responses.
 - logs any modified requests and responses

Analysis module:

 - Monitors the proxy log, and reviews each response for:
   - HTML comments
   - HTML Forms
   - Scripts and Script fragments
   - Potential Cross site scripting opportunities (very weak!)
 - Extracts any links in the page, and maintains a list of "unseen" links,
which can be dumped at any time.
 - Will be extended to automatically generate VulnXML tests for applicable
URL's, such as:
   - submitting various SCRIPT fragments into variables
   - submitting different types of SQL injection strings into variables
   - whatever else comes up.

Review GUI:

 - written in Perl Gtk (i.e. not browser based. I found that browser based
UI's were not powerful enough, and non-intuitive)
 - continuously tails the proxy log, and the analysis module's logfile
 - allows for commenting the transaction flow, (i.e. submit login here to
bypass sesion management)
 - offers raw HTTP and tabulated request view of submissions
 - offers raw HTML and interpreted HTML view (currently broken) view of
responses
 - offers a tree view of the sites seen (and linked to), highlighting URL's
that have not been visited.
   - shows what requests have been sent to a URL
   - will include functionality from params.pl below to view submissions in
different ways

Charset analysis program.
 - Useful for initial analysis of cookies, to determine how random their
generation is.
 - Calculates the character set used at each position in the cookie string,
and uses that to convert the cookie into an integer. Returns the overall
character set, positional character set, calculated cookie value, and the
"difference" between the cookie, and the next one following.
 - Can be useful to load into a graphing program, and look for deviations
from the expected "straight line"

Params.pl
 - returns a list of URL's, and all the parameters (variable names)
submitted to the URL. Can be useful to determine how the application
functions. (will be extended to filter by URL, variable name, etc. When
filtering by variable name, will show all the values for that variable)

This is licensed under the GPL, so it may be freely used, modified, etc.

I would appreciate any feedback from people who have used it, and found it
useful, or even lacking in any way.

As mentioned, the HTML support in the GUI is broken (segfaults in XmHTML -
beats me why), but everything else is pretty functional. It is Perl, and
requires a fair number of modules from CPAN, but I recommend that you
install the Perl-Gtk RPM's or other packages, if at all possible. Note that
this is not required for the proxy itself, only the GUI.

Unfortunately, the Perl OpenSSL/Crypt::SSLeay support on Win32 is broken
(was last time I tried, anyway), so for the moment, it is Unix only.

Enjoy, and obviously, use wisely/legally.

Rogan
-- 
In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythe () alum mit edu>
--
Deloitte & Touche Security Services Group
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
--
NOTE: This e-mail message and its attachments are subject to the disclaimers
      as published at: http://www.deloitte.co.za/disc.htm#emaildisc