The following tools are available at www.webcohort.com for free download: ----------------------------- ITR (Interactive TCP Relay) ----------------------------- This tool provides a security-testing environment for non-HTTP Client/Server applications, similar to that provided by interactive HTTP proxies. When started, ITR operates as a simple TCP tunnel, listening on a specific port, and forwarding all the traffic to the remote host and port. By configuring the client to treat the ITR as its server, all traffic between a client and a server can be tunneled and logged. The true power of ITR, however, lies in its ability to intercept and edit the traffic passing through it. When invoking intercept mode, the ITR stops every message sent through it (client to server and/or server to client). The traffic can then be edited freely, providing a comfortable environment for testing Client/Server applications. The editing of messages is performed using a built-in comfortable HEXA Editor. To provide support and compatibility for various systems, the ITR can operate both its logs and HEXA editor using different types of character encodings, such as ASCII or EBCDIC. ----------------------------- BOU (Buffer Overflow Utility) ----------------------------- BOU is a command-line utility that enables the user to check for buffer overflows on Web Server Applications. Written in Java, BOU quickly uncovers suspected buffer overflow problems in HTTP requests, and supports both the GET and POST methods. ----------------------------- Mapper ----------------------------- Mapper helps you map the files, file parameters and values of any site you wish to test. Simply browse the site as a normal user while recording your session with Achilles (Mapper supports other proxies as well), and run Mapper on the resulting log file. Mapper will create an Excel CSV file that will allow you to study the directory and file structure of the site, the parameter names of every dynamic page encountered (such as ASP/JSP/CGI), and their values for every time you requested them. This tool helps you to quickly locate design errors and parameters that may be prone to SQL Injection or parameter tampering problems. Mapper also supports non-standard parameter delimiters and MVC-based web sites. Eyal Udassin Application Security Consultant WebCohort Ltd.
