Tuesday, September 27, 2011

Web Application Analysis With Owasp Hatkit

Yet another proxy to analyses web application. We already have WebScarab,burp,paros,ratproxy,OWASP zap proxy,fiddler so many now another one  OWASP Hatkit which is released in defcon 19. The main feature that may capture your attention is it has a database to store all recoded data that’s helps further analysis. Hatkit use MongoDB where parse data store in as JSON document. So you can use MongoDB advanced querying facilities and even can use other tools to view and analyze data.

Now how do you configure it in your favorite backtrack, I’m try it in backtrack5r1. First you need to install MongoDB . if you install synaptic you should found MongoDB by search in default repo. obviously there should other way to do it but I’m take simplex options.

Or just $sudo apt-get install mongodb

Next download Hatkit it self from from here. direct link hatkit_proxy-0.6.1.zip

just extract it in /opt
#ls
#hatkit_proxy.jar  hatkit_proxy.sh  lib  LICENSE.txt  processors  README
#java -jar hatkit_proxy.jar

image

hatkit has web scrapper converter you need to locate its install path

image

Well so to analyze data there is another project available Owasp Hatkit Datafiddler project. So with help of this is a tool basically you do performing data analysis of data in a MongoDB, particularly Http traffic.

This tool can be download from here, Direct link hatkit_datafiddler-0.6.0.zip.

$ unzip hatkit_datafiddler-0.6.0.zip
$ cd hatkit_datafiddler-0.6.0/
$ python datafiddler.py

you may got dependency error of python mongoDB if you are not install it before

pymongo : Python drivers for MongoDB
there are different way of installing pymongo but I did install it from source.Installing pymongo python driver for mongodb from source is easy 
git clone https://github.com/mongodb/mongo-python-driver.git
python setup.py install
$ python datafiddler.py

image


My first look feeling is still this tool need some UI improvement and need to a bit user friendly. I will try to update this post after more work with this tool. And hope this tool will keep updated.


More info: defcon conference slide here. OWASP project home here

Posted by at 9:58 PM
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)