Loading...
Tuesday, September 18, 2012

The Manipulator v 0.2 : Command Line Parameter Manipulation Web Scanner

The manipulator is a command line scanner that seeks to identify parameter manipulation vulnerabilities. It parses Burp logs searching for numeric parameters which it analyses for parameter manipulation flaws by submitting a range of similar but different numeric values and looking for differences in the response.


What is The Manipulator?
It's a wrapper for curl written in bash. It's also a tool that can be used to remotely identify parameter manipulation vulnerabilities.

The Manipulator is beta; don't use it in an environment that matters to you or anyone else. Do not use The Manipulator to scan hosts without the owner's permission.

Features :
  • Support for automated detection and testing of parameters in POST URIs and multipart forms
  • Scan 'state' maintenance: Halt a scan at any time - scan progress is saved and you can easily resume a scan from the URL where you stopped
  • Specify a specific request number to resume a scan from
  • HTML format output with: links/buttons to send Proof of Concept requests
What do I need to use The Manipulator?
The Manipulator is built and tested on BackTrack 5 R2. On all other platforms Your Mileage May Vary; you will need a an OS that can support bash (*nix, cygwin (not tested), etc), curl must be installed and in your path, and 'replace' (which is missing from many nix's) must also be installed in in your path. Until I implement web spider functionality, The Manipulator is dependent upon burp proxy to create log files (not burp state files) which The Manipulator uses to build its internal list of fuzz requests. The free version of burp can be used to create these log files. Within Burp go to options > misc and check the proxy requests tick box; browse the target site, populate your log, then pass it to The Manipulator.

0 comments:

Post a Comment

 
TOP