You currently do not have JavaScript enabled in your browser. WhiteHat Arsenal requires JavaScript to be enable in order to function properly. Please turn on JavaScript and reload.

By: WhiteHat Security, Inc. Copyright 2002 WhiteHat Security, Inc. ALL RIGHTS RESERVED. Introduction WhiteHat Arsenal 1.07 Beta Release WhiteHat Arsenal is designed to be the next generation of professional web application security audit software. Architected from the ground up to be a generic web application security productivity tool, WhiteHat Arsenal provides security professionals and web application developers access to the tools they need to make the job of securing web applications faster and easier than ever before. Currently, for even the most experienced security professionals, it is cumbersome if not impossible to quickly and efficiently execute most known web application attacks without resorting to quickly written custom utilities. Writing custom utilities during a penetration test or formal security review is a waste of time; a security professional's time should be focused on actually identifying vulnerabilities and resolving them. Unfortunately, penetration testers and web application developers alike lack effective tools to test common, let alone hard to find, security weaknesses. As a result, many mission critical web applications are inadequately protected against the increasingly prevalent threat of malicious attacks. Many experienced information security professionals agree that currently available web security scanners, which scan only for known vulnerabilities, achieve only limited success as best. Furthermore, these types of tools often result in an enormous overflow of false positives resulting in wasted time and effort. WhiteHat Security understands these frustrating shortcomings of the existing tools and the increased need for securing the Internet's web applications. WhiteHat Arsenal is poised to revolutionize the manner in which web applications are penetration tested and secured. WhiteHat Arsenal possesses a powerful suite of GUI-Browser based web security tools. These endowments make WhiteHat Arsenal capable of completing painstaking web security penetration test work faster and more effectively than any tool currently available. Imagine having the ability to quickly customize and execute just about any web security attack, and having those penetration attempts logged in XML format for later reporting or analysis. WhiteHat Arsenal makes it possible to quickly focus attention on HTML forms, to easily view their inputs, (even the hidden fields), and modify them in seconds. It can be utilized to rapidly uncover a vast a number of vulnerabilities in any web application by providing the ability to perform any of the following attacks faster than ever before: Perform the following attacks: Cross-Site Scripting (XSS) Parameter Tampering Cookie Poisoning URL Manipulation CGI Directory Traversal Direct OS Commanding Meta Character Injection SQL Command Injection HTTP Request Header Manipulation HTTP Request Method Manipulation Protocol Manipulation and many more variants and combinations... WhiteHat Arsenal is about increasing the effectiveness of web application security testing and audits, saving huge amounts of time in the process. Using the feedback from our users, we made WhiteHat Arsenal 1.06 easier to use and increasingly more effective. WhiteHat Security is on a mission to improve the way in which people build, secure and penetration test web applications. WhiteHat Arsenal can do: - Target SSL HTTP web servers - Supports most recent browsers. (Mozilla 0.99, Netscape 6, Opera, MSIE 6). - Spider specific hostname. - Display and log (in XML/XSL) web page properties. - Describe and log web applications in XML/XSL. - Scan for common directories, log files, and backup files. - Allow HTML forms to be easily viewed, modified and manipulated. - XML Log files can by copy/pasted in Word/Excel. - Perform Header Manipulation, Method Manipulation, Hidden Form Field Manipulation, Parameter Manipulation, HTTP Version Manipulation, etc. - Completely session based for project organization. - Quick URL Encode/Decode. - Quick Base64 Encode/Decode. - Quick MD4, MD5, SHA1, and ROT13 encryption. - Logs all web application penetration attempts in XML. - View HTTP Request results in HTML, RIP-REWRITE, or SOURCE code mode. - View HTTP Response/Response Headers. - Support for HTAUTH. Help in performing various web application attacks:      CGI Parameter Tampering      Hidden Form Field Manipulation      Directory Traversal      Cross-Site/In-Line Scripting      SQL Command Injection      Meta Character Injection      Direct OS Commanding      Extension Manipulation      Referer Manipulation      Cookie Manipulation      User-Agent Manipulation      Path Obfuscation      Case Sensitivity      URL Encoded Strings      CSS Filter-Bypass Manipulation      Protocol/Method Manipulation      Null Character Attacks      Session Hi-Jacking      Session Replay      Session Forging WhiteHat Arsenal can't do: - Control Spidering Speed. - Unicode Encoding/Decoding. - Anti-Intrusion Detection. - Traceroute or ARIN. - Support JavaScript enhanced forms. - Spanning support for log file files. (Browser may have difficulty displaying large XML/XSL files.) - Browsers that do not support XSL will lose log file reporting functionality. Quick Start Step 1: Create and/or Activate a new session using the session manager on left hand toolbar. Step 2: Specify your target web server using the top toolbar. Make sure to use full URLs. Step 3: Click either Spider or Ripper. Copyright 2002 WhiteHat Security, Inc. ALL RIGHTS RESERVED.