Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Information Security Inc.
Watobo
Information Security Confidential - Partner Use Only
Contents
2
• About Watobo
• Features
• Testing Environment
• Installing Watobo
• Using Watobo
• References
Information Security Confidential - Partner Use Only
About Watobo
3
• WATABO is a security tool for testing web applications. It is
intended to enable security professionals to perform efficient (semi-
automated) web application security audit
Information Security Confidential - Partner Use Only
Features
4
• Powerful session management capabilities! You can define login
scripts as well as logout signatures. So you don't have to login
manually each time you get logged out
• Can act as a transparent proxy (requires nfqueue)
• Vulnerability checks (SQLinjectin, XSS, LFI) out of the box
• Handles Anti-CSRF-/One-Time-Tokens
Information Security Confidential - Partner Use Only
Features
5
• Supports inline de-/encoding, so you don't have to copy strings to a
transcoder and back again. Just do it inside the request/response
window with a simple mouse click.
• Smart filter functions, so you can find and navigate to the most
interesting parts of the application easily.
• Is written in (FX) Ruby and enables you to easily define your own
checks
• Runs on Windows, Linux, MacOS every OS supporting (FX) Ruby
Information Security Confidential - Partner Use Only
Testing Environment
6
• Kali Linux 2017
Information Security Confidential - Partner Use Only
Installing Watobo
7
• apt-get install watobo
Information Security Confidential - Partner Use Only
Using Watobo
8
• Starting Watobo for the first time
Information Security Confidential - Partner Use Only
Using Watobo
9
• Starting Watobo
Information Security Confidential - Partner Use Only
Using Watobo
10
• Watobo Transcoder
Information Security Confidential - Partner Use Only
Using Watobo
11
• Watobo: create a new project => File > New/Open
Information Security Confidential - Partner Use Only
Using Watobo
12
• Project Name
Information Security Confidential - Partner Use Only
Using Watobo
13
• Session Name
Information Security Confidential - Partner Use Only
Using Watobo
14
• Watobo listens on port 8081
Information Security Confidential - Partner Use Only
Using Watobo
15
• Configure browser proxy
Information Security Confidential - Partner Use Only
Using Watobo
16
• Watobo Interceptor
Information Security Confidential - Partner Use Only
Using Watobo
17
• Watobo > send to SQLmap
Information Security Confidential - Partner Use Only
Using Watobo
18
• Watobo > send to SQLmap
Information Security Confidential - Partner Use Only
Using Watobo
19
• Watobo > send to SQLmap
Information Security Confidential - Partner Use Only
References
20
• Kitploit
http://www.kitploit.com/2013/08/watobo-0913-web-application-toolbox.html
• Kali Linux
https://www.kali.org/downloads/
• fxruby
https://github.com/larskanis/fxruby