From jeremiah@whitehatsec.com Wed Jul 17 10:19:06 2002
Received: (qmail 1737 invoked by uid 1001); 17 Jul 2002 22:50:27 -0000
Received: from pop.pi.sbcglobal.net [207.115.63.84]
	by localhost with POP3 (fetchmail-5.9.11 polling pop.sbcglobal.net account matt_relay)
	for matt@localhost (single-drop); Wed, 17 Jul 2002 15:50:27 -0700 (PDT)
Received: from vmi-ext.prodigy.net ([127.0.0.1]) by vmi-wfldad with ESMTP; Wed, 17 Jul 2002 13:40:23 -0400
X-Originating-Ip: [64.49.198.145]
Received: from mail1.mailwizards.com (mail1.mailwizards.com [64.49.198.145])
	by vmi-ext.prodigy.net (8.11.0.in.saslm.reject.disable.sbc2.sleep.maildfixand2sdomain/8.11.0) with ESMTP id g6HHdE6308270
	for <matt_relay@sbcglobal.net>; Wed, 17 Jul 2002 13:39:15 -0400
Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [66.38.151.26])
	by mail1.mailwizards.com (8.11.4/MW-2.03) with ESMTP id g6HHdDg14152
	for <matt@nightrealms.com>; Wed, 17 Jul 2002 12:39:14 -0500 (CDT)
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id DDEB38F338; Wed, 17 Jul 2002 10:43:59 -0600 (MDT)
Mailing-List: contact secprog-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <secprog.list-id.securityfocus.com>
List-Post: <mailto:secprog@securityfocus.com>
List-Help: <mailto:secprog-help@securityfocus.com>
List-Unsubscribe: <mailto:secprog-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:secprog-subscribe@securityfocus.com>
Delivered-To: moderator for secprog@securityfocus.com
Received: (qmail 10784 invoked from network); 17 Jul 2002 17:17:37 -0000
Message-Id: <3D35A70A.5040701@whitehatsec.com>
Date: Wed, 17 Jul 2002 10:19:06 -0700
From: Jeremiah Grossman <jeremiah@whitehatsec.com>
Organization: WhiteHat Security, Inc.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020607
X-Accept-Language: en-us, en
Mime-Version: 1.0
To: secprog@securityfocus.com
Subject: WhiteHat Arsenal 1.07 Beta Release
Content-Type: text/plain;
  charset=us-ascii;
  format=flowed
Content-Transfer-Encoding: 7bit
X-DCC-servers-Metrics: kagome 1049; Body=1 Fuz1=1 Fuz2=1
X-Spam-Status: No, hits=-10.4 required=5.0
	tests=ORGANIZATION,X_ACCEPT_LANG,USER_AGENT,LINES_OF_YELLING,
	      DOUBLE_CAPSWORD,USER_IN_WHITELIST_TO
	version=2.40
X-Spam-Level: 
Status: R 
X-Status: N

WhiteHat Arsenal 1.07 Beta Release
Free download available from:
http://community.whitehatsec.com/



=== WHITEHAT ARSENAL 1.07 BETA: WHAT'S NEW ===============================
Over the the last two months, WhiteHat has focused the majority its
software efforts on improving WHArsenal. The tool is not only more
powerful, but also easier everyone to use. We have accomplished this by
drastically renovating and simplifying the user interface to make the
suite more intuitive for average user. This allows users to save time
and execute more web attacks quicker than ever before.

We have posted several screen shots for your viewing pleasure.

The user interface was not the only point we improved. A few new
features have been added to make WHArsenal all the more powerful and
flexible.Among these are "String Manipulation Palette", "Code Snippets",
combined utility features, completely reworked the HTTP connection
menu and also added a "Host Header Fix" option. Forced Browsing has seen
new additions to the search lists, making the scan all the more thorough.

As always, with your help, we have identified and resolved numerous
bugs from the previous release. All in all version 1.07 is likely to
be our single best version improvement to date.

Finally, for those in attendance at BlackHat 2002 Las Vegas,  WHArsenal
will appear a few of the presentations.

As always, WhiteHat continues to solicit your feedback. We rely heavily
on your input for bugs and feature improvements.





=== WHITEHAT ARSENAL =====================================================

WhiteHat Arsenal is designed to be the next generation of professional
web application security audit software.  Architected from the ground up
to be a generic web application security productivity tool, WhiteHat
Arsenal provides security professionals and web application developers
access to the tools they need to make the job of securing web
applications faster and easier than ever before.


Currently, for even the most experienced security professionals, it is
cumbersome if not impossible to quickly and efficiently execute most
known web application attacks without resorting to quickly written
custom utilities.  Writing custom utilities during a penetration test or
formal security review is a waste of time; a security professional's
time should be focused on actually identifying vulnerabilities and
resolving them.  Unfortunately, penetration testers and web application
developers alike lack effective tools to test common, let alone hard to
find, security weaknesses.  As a result, many mission critical web
applications are inadequately protected against the increasingly
prevalent threat of malicious attacks.


Many experienced information security professionals agree that
currently available web security scanners, which scan only for known
vulnerabilities, achieve only limited success as best.  Furthermore,
these types of tools often result in an enormous overflow of false
positives resulting in wasted time and effort.  WhiteHat Security
understands these frustrating shortcomings of the existing tools and the
increased need for securing the Internet's web applications. WhiteHat
Arsenal is poised to revolutionize the manner in which web applications
are penetration tested and secured.


WhiteHat Arsenal possesses a powerful suite of GUI-Browser based web
security tools. These endowments make WhiteHat Arsenal capable of
completing painstaking web security penetration test work faster and
more effectively than any tool currently available.  Imagine having the
ability to quickly customize and execute just about any web security
attack, and having those penetration attempts logged in XML format for
later reporting or analysis.


WhiteHat Arsenal makes it possible to quickly focus attention on HTML
forms, to easily view their inputs, (even the hidden fields), and modify
them in seconds. It can be utilized to rapidly uncover a vast a number
of vulnerabilities in any web application by providing the ability to
perform any of the following attacks faster than ever before:

Perform the following attacks:
           Cross-Site Scripting (XSS)
           Parameter Tampering
           Cookie Poisoning
           URL Manipulation
           CGI Directory Traversal
           Direct OS Commanding
           Meta Character Injection
           SQL Command Injection
           HTTP Request Header Manipulation
           HTTP Request Method Manipulation
           Protocol Manipulation

           and many more variants and combinations...


WhiteHat Arsenal is about increasing the effectiveness of web
application security testing and audits, saving huge amounts of time in
the process. WhiteHat Security is on a mission to improve the way in
which people build, secure and penetration test web applications.


The WhiteHat Arsenal download is available from:
http://community.whitehatsec.com/
Users must be registered to download (takes 30 seconds).

=== WHITEHAT ARSENAL FEATURES ============================================


Session Manager:
WhiteHat Arsenal logs all HTTP Request activities in either XML or HTML
format. This allows for the presentation of log data to be easier to
understand, analyze and report on. The Session Manager keeps log files
organized with an easy to use Session Management system. Create, Edit,
Delete sessions as well as individual log files. Session Manager makes
web security easier by allowing organization of multiple independent
tasks.


Spidering:
- Page Characteristics Logging XML Logging
- Web Application Description XML Logging
- Session Based
- Spider Continuation
- Results Limiter


*Full HTTP Support
*Enhanced Features

Ripper:
- Allows on-the-fly editing of HTML Forms.
- Request/Response header viewing and editing.
- Advanced control over HTTP requests.
- HTTP Request XML Logging
- Session Based
- 302/301 Support w/ Auto Interface Update

*Full HTTP Support
*Enhanced Features


Forced Browsing:
Find hidden directories, log files, and backup files which may contain
useful information quickly, easily and efficiently.

- Common Directory forcing
- Common Logfile Forcing
- Backup file suffix forcing
- Session Based
- Response String Searching Support
- Response Code Look up integration.

*Full HTTP Support
*Enhanced Features


Response Codes:
Look up the meaning of a particular HTTP Response Code or view a list of all
HTTP response codes according to the HTTP/1.1 RFC.


Utilities:
Quickly encode or decode strings, authentication credentials or anything
else, to reverse engineer applications, perform various discovery
methodologies, or pervasive attacks. Now made even easier using the
"String Manipulation Palette".

- URL Encode/Decode
- Base64 Encode/Decode
- ROT13
- MD4
- MD5
- SHA-1


Code Snippets:
Added easily accessible snippets of code commonly used by web
application security
experts.


*Full HTTP Support
(Ability to modify and manipulate just about every aspect of an HTTP
Request.)

- Path
- Protocol
- Port
- Content
- Method
- Version
- Web Auth
- Request Headers
- HTTP Fixup Feature
- Browser Mimick
- Host Header Fix


Enhanced Features:
- Easy to use Web-GUI Interface.
(Only a recent web browser is required to use everything in WhiteHat
Arsenal.)

- Browser Mimicking
(Mimick the HTTP Request behavior of a standard web browser.)

- HTTP Fix
Use libwhisker to "fix" an HTTP Request before the request is sent. The
fix includes things such as adding a "Host" header, "Content-Length"
header, etc. Helpful for HTTP compliance.

- Host Header Fix
Automatically adds the proper host header to an HTTP request. Need for
HTTP/1.1 support.


Support:
- Web Authentication
- SSL


=== WHITEHAT COMMUNITY ===================================================

WebAppSec Community
http://community.whitehatsec.com/

WhiteHat Security has created a new web application security
information portal and web security community. A place for people to
read related news, access up-to-date information, and talk web
app sec stuff.  The archives are full of web application security
presentations, whitepapers, news, etc.

WhiteHat Security is asking all those interested to submit news and
other related information (please be specific to web app sec).  Also if
you know any good web app sec white paper's and/or PPT material, please
post those submissions as well.
==========================================================================






