Exodus - a web application review tool
History
Exodus is derived from a number of sources. The original inspiration came from httpush, by Lluis Mora Hidalgo, which offered the ability to intercept HTTP and HTTPS connections, display the requests, and modify them on the fly.
I felt that the HTML interface to the proxy was a bad choice, since the site I was testing used forms in non-resizable frames, and I couldn't reach the Submit button to tell httpush to continue!
I changed it quite radically, creating "mangle.pl" so that it would save the conversations, and implemented a Perl/Gtk interface to review the information seen. I ended up writing a number of tools, that followed the Unix philosophy of "one tool to do a simple thing well". However, none of them really did the jobs well, and they didn't integrate well, either.
Mangle was also not very portable, using the Perl Crypt::SSLeay and Net::SSLeay bindings to OpenSSL, which I had difficulty compiling on Win32, and needing a bunch of modules from CPAN, and other places. It was a real disaster trying to install it on another machien, even for me as the creator. I eventually decided to re-implement it in Java.
Exodus is the Java version of mangle.
Why ANOTHER proxy ?
Why is this tool any different to those other proxies already available?
- Open source
- Portable (Java)
- Supports SSL intercept
- self-contained (apart from a JRE)
- open to extension by the community
(OK, so there are others that have many of these attributes. Hopefully people will find this one interesting anyway! :-)
Comparison against existing tools
|
Exodus |
Dave Aitel's Spike Proxy |
Sverre Huseby's PenProxy |
@Stake WebProxy |
Mangle |
| License |
GPL |
Unknown |
Free? |
Commercial |
GPL |
| Portability |
Yes. Java |
Yes. Python |
Yes. Java |
Yes. Java |
No. Linux Perl and Gtk |
| Connection Capability |
HTTP and HTTPS |
HTTP and HTTPS |
HTTP |
HTTP and HTTPS |
HTTP and HTTPS |
| Interface |
Swing |
Browser based. |
Swing |
Swing |
Gtk |
| Interception |
Requests and responses |
Unknown |
Requests |
Requests. Responses unknown |
Requests and responses |
| Extensibility |
Designed to be. |
Yes, I'm sure. |
Limited. No real support |
Yes, but proprietary |
Not really |
Functionality existing in Exodus today
- Proxies HTTP and HTTPS connections
- supports upstream HTTP proxies (HTTPS coming soon)
- support Basic-Auth and Proxy Basic-Auth (NTLM support will come if there is a need for it, I'm sure!)
- Supports interception and modification of requests and responses (individually selectable)
- Shows a log of requests received by the proxy, modifications made by the user/proxy, responses from the server, and modifications made to the response
- Can render HTML responses to the screen
Planned development
- (High) Save and Load of conversations seen, and analysis done (file access methods exist, but a dialog to activate them is required)
- (Medium) More granular selection of whether or not to intercept a request or a response - the framework is laid out, but still needs to be coded
- (High) Support for upstream SSL proxies (framework exists, not difficult to add)
- (Medium) Option to transform "hidden" form fields to " text" fields, so that they can be modified in the browser.
- (Low) Show images as an image, rather than a byte stream
- (Medium) site view - shows the URLs requested in a tree, and highlights attributes of the URL (see below)
- (High) examination of the HTML responses for Scripts, comments and Forms
- (Medium) presentation of the scripts, comments and forms for human analysis and rating.
- (Medium) Presentation of a summary of parameters submitted to an URL, to assist in determining what parameters are required in which combinations
- (Medium) Spider - during examination of the HTML, any unseen links will be added to a tree, and will be automatically/manually retrieved and analysed
- (Low) Cookie analysis - present all requests that resulted in a cookie being set, allow the operator to select one to replay, then retrieve an amount of cookies. The character set of those cookies will then be analysed to determine patterns, etc
- (Low) Testing whether the Cookie sent was necessary. A browser will send the cookie to all pages in the specified tree. Try removing the cookie (or Basic Auth) headers for requests, and see if we get the same content back.
Strings in brackets are current priorities, but are subject to change.
Further down the line:
- VulnXML support - support for execution of VulnXML tests, and viewing the results
- fuzzing - dynamic generation of VulnXML tests for interesting URLs
Source for Exodus will be released shortly, I am just cleaning it up a little. Please realise that this is my first real Java application, so if I am doing things the wrong way, please be gentle, and send me a patch rather than a flame :-)
Download
You can download Exodus here, and the source here. Exodus has been developed using NetBeans, and the source includes the forms for the GUI editor.
You may need to right click, and select "Save As", since my ISP does not have MIME-types for jar files.
Contact
Any and all comments and suggestions are welcome.
Send me mail at rdawes @ mweb.co.za, or rdawes @ deloitte.co.za
Changelog
2003/03/03
- Fixed proxy download of large documents
- Model now returns copies, so changes to the conversations are not necessarily reflected in the Model
- Model maintains links between conversations and URLs
- Model can now read from and write to a directory (persistent storage)
- Exodus now includes a log pane, so messages are not lost to Stdout when run from a GUI. Low-level classes still log to stdout, so if you are having problems, run it from a DOS box or shell