@2003 mei@websec.org / www.websec.org
readme.txt

**************************************
**************************************
desperado - webapplication tester
dmapper - command mapper for desperado 
**************************************
**************************************


OVERVIEW

desperado was designed to reduce time for manual testing of webapps.
combined with a good crawler or spider, dmapper and a couple of shell-scripts 
it might be able to automate a whole test.

desperado should run on most perl installations without modification.

used perl-modules:
---*---
Getopt::Std (default)
LWP::UserAgent
HTTP::Request
HTTP::Response
HTTP::Headers
HTML::Form
HTML::TokeParser
IO::Scalar
---*---

if you system does not support SSL we recommand using stunnel 
(http://www.stunnel.org) for this purpose. 


WHAT IS IT DOING

supplied with a so called "goodInput" - value desperado requests a given 
URL and temporary stores the servers response. 

now the "goodInput" is replaced by "testValue" taken from the config-file. this 
is done for ever single config-file entry. 

after removing "goodInput" and "testValue" from the servers response the 
cached response is compared to our "testValue" - response. 

a different response might be an interesting starting-point for further investigation :-)


EXAMPLE

"goodInput" (goodInput=Hoschi) desperado-request:
---*---
http://server/cgi-bin/xxx.cgi?name=Hoschi
---*---

"good" server-response:
---*---
<html><body>Hello "Hoschi"<br></body></html>
---*---


"testValue" "\|&"§=%$§" taken from our config-file desperado-request:
---*---
http://server/cgi-bin/xxx.cgi?name=\|&"§=%$§
---*---

"test" server-response:
---*---
<html><body>500 Internal Server Error</body></html>
---*---


USAGE

---*---
usage: ./desperado.pl -u *[url]
        -c *[configFile]
        -p [proxyServer]
        -n [name || "default"]
        -q [add. query ie.(user=aaa&other=bbb)]
        -h [add. headers ie.(VIA=123&User-Agent=Me)]
        -m [method (can be overriden by Headers or Config!)]
        -d [debugOutput]
        -t [type [param(default)|xpath|header(only value)|totheader(aa:bbb)|method|content|query]]
        -l [logToThisFile]
        -g [goodInput (default=1 but not recommanded !)]
        -f [firstInitialCheck]
        -k [remove everything which fits to this regex!]
---*---

-c 	specifies the config file 
-p 	makes use of proxy-server (server:port)
-n	is the name of our tested value (only for types: param,header)
-q	all the additional paramname-value combos you want/must supplie to the request . format. NAME=VALUE&NAME2=VALUE2
-h	add the additional request-headers you want/must supply to the request
-m 	request method (GET, POST, TRACE ...)
-d	debug output
-t 	type of test value
	valid types:
	param = typical formular based request parameter	
	xpath = additional path information (cgi-bin/info.cgi/addpathinfo/blabla)
	header = request-header-value (User-Agent, Content-Length ...)
	totheader = request-header name/value combo (User-Agent: Tester) 
	method = request method  
	content = can be used together with post-requests (file-uploads ...)
	query = QUERY_STRING (cgi-bin/test.cgi=i_am_a_query_string)
-l 	logfile location
-g	the good Input (beware of using 1 or 0 ..try something unusual like "69696969")
-f 	let desperado only check the first value found in the config-file (testing)
-k 	sometimes it is necessary to remove output like "Execution time 3422" or similar !!

CONFIG FILE SYNTAX


example:

---*---
<entry des="single quote">'</entry>

<entry des="abc">	= start tag with des=description (looks better in logfile!)
</entry> 		= end tag 
---*---

everything between start- and end-tags is our "testValue".

in addition it is possible to create loops with:

---*---
<repeat from="1" to="10" step="1"> 
---*---

performs a typical for next loop .. in perl: 

---*---
for ($count=1;$count<10;$count=$count+1)
{
 return $testValue x $count;
}
---*---


OTHERS


note that it is not possible to use a "super-config-file" for any test! 


TODO

* add additional types 
* create a database with config-files for every thinkable testing-case 
* add desperado.pl to the websec perl-module :-) 



******************
******************
ADDENDUM "dmapper"
******************
******************

OVERVIEW

"dmapper" was designed to reduce time for manual testing of webapps.
it creates "batch-files" for the desperado "vulnerability-finder" tool.


WHAT IS IT DOING

after analyzing sites which contain forms and/or links containing QUERY_STRINGS 
it creates a desperado - "batch/command" file for every thinkable combination of 
forms, formfields and user-input based on the given config-files for desperado.

USAGE

---*---
dmapper.pl
        -u [url]
        -h [request-headers(a:xx&b:yy]-p [proxy]
        -b [name of batch-file]
        -c [configfile||default.cfg]
        -d [dummyvalue for formfields||1234]
        -d [debug-output]
        -n [headernames-file]
        -i [include links with query_strings]
        -s [do NOT check for default-headers and request-methods]
---*---

-u: this is the URI to be tested. it should contain at least one webform.
-h: submit additional header to the initial request (cookies, auth-headers aso.)
-b: filename which will contain the desperado-command lines.
-c: the main config file. default is default.cfg
-g: a dummy-value for form fields. default is '1234'
-d: output debug info
-n: name of the file which contains the request-header names.
-i: creates additional tests for any link with a QUERY_STRING (Example: <img src="rrr.cgi?a=b&d=xxxi">) 
-k: see desperado (USAGE)
-s: for well known servers like apache it does not make sense to check default-headers/methods on every scan


TODO

too much 

EOF-mei@websec.org