RSnake was letting us all know that Portswigger is taking requests for new features for Burp. Burp proxy is one of a handful of tools that you must have in your toolbelt for doing manual assessments. Funny how I've never shared what I have in my manual assessment toolbelt:
- MITM proxy - my standard is Paros, but also keep installs of Burp and WebScarab. What you need first and foremost is a proxy that works. Each of them have pros and cons as far as being able to reliably connect under various circumstances. If you're consulting or dealing with vendor apps, you'll probably use all of them at different times to deal with different proxy configurations (I mean corporate proxy, not MITM proxy), host authentication methods, SSL, etc. If the site is SSL and has applets, you'll need one that you can easily modify (this is why I use Paros) so you can change which keystore it uses and make a hacked self-signed cert. Next time I have to do something like this, I'll write a blog post about it. It's not hard, but it's not obvious, either.
- A good text editor. A "good" text editor is critical just because my editor ends up being my "landing zone" for everything. So you want your text editor to have some of the following features: regex search and replace (absolute must), macro ability (you never know when you need to just cobble something together), tabbed interface, column editing (you'd be surprised how many times I use just this one feature in an assessment). Right now, I'm pretty well stuck with jEdit, but prior to that I used UltraEdit exclusively. I tend to like JEdit now simply because of one feature - Beanshell is built in. This is handy in two places - the first is for encoding and decoding - I've written a handful of macros for doing encoding and decoding (hex->binary, binary->hex, digests, HTML encoding, URL encoding, Base-64, etc.) - but your proxy may also provide this - just nice not to have to switch. And you can make the results of a search and make the replacement the evaluation of a beanshell script, which is handy when dealing with obfuscated code.
- Firefox with at least LiveHTTPHeaders, SwitchProxy, User Agent Switcher, and Firebug. What I ended up doing is using a hacked up Portable Firefox for doing assessments, and my primary day-to-day firefox doesn't include all the extensions.
- The Gimp. May seem live overkill when you just need screenshots, but you also needs something that can do a really good Gaussian Blur or similar for redacting. With a normal desktop paintbrush, redacting means putting an ugly black bar in front, which for a finalized report doesn't look that great. You want something you can annotate with and make pretty red circles.
- I've thought about desktop recording software, and I've seen some really nice ones with voice recording and graphical annotations, but you can't put a video in a printed document, so it's not something I've used a great deal.
- The XSS Cheat Sheet. I wish there were SQL Injection (or LDAP Injection, or name that Injection) equivalent for all the various RDMBS out there, but doing a little research on the specific RDBMS and a good set of encoders will get you far.
- There's just no substitute for being able to figure out what's going on in the backend. The more opportunity you have to turn your blackbox test into a graybox test, the better your chances of getting a really good exploit. There's not a tool for that, but just know that it's hard to train somebody to be a truly 1337 hacker who doesn't understand a lot about the systems it runs on - application level or OS level. So that being said, there's no substitute for research.