Exodus - a web application review tool

Blurb

Exodus is derived from a number of sources. The original inspiration came from httpush, by Lluis Mora Hidalgo, which offered the ability to intercept HTTP and HTTPS connections, display the requests, and modify them on the fly.

I felt that the HTML interface to the proxy was a bad choice, since the site I was testing used forms in non-resizable frames, and I couldn't get to the Submit button to tell httpush to continue!

As a result of my frustration, I changed httpush quite radically, creating "mangle.pl" so that it would save the conversations, and implemented a Perl/Gtk interface to review the information seen. I ended up writing a number of tools, that followed the Unix philosophy of "one tool to do a simple thing well". Unfortunately, none of them really did their jobs well, and they didn't integrate well, either.

Mangle was also not very portable, using the Perl Crypt::SSLeay and Net::SSLeay bindings to OpenSSL, which I had difficulty compiling on Win32, and needing a bunch of modules from CPAN, and other places. It was a real disaster trying to install it on another machine, even for me as the creator. I eventually decided to re-implement it in Java.

Exodus is the Java version of mangle.

Features

Exodus has the following features:

Proxies HTTP and HTTPS connections (SSL man in the middle). IE and Mozilla/Phoenix work, apparently Konqueror uses a different mechanism to negotiate SSL proxy connections.
supports upstream HTTP and HTTPS proxies. No-Proxy support is not yet implemented.
support Basic-Auth and Proxy Basic-Auth (NTLM support will come if there is a need for it, I'm sure!)
Supports interception and modification of requests and responses (selectable, based on the request method)
Optionally transforms all hidden FORM fields into visible and editable fields
Saves the requests, responses and any descriptions to the filesystem for further analysis, or evidence.
Shows a log of requests received by the proxy, modifications made by the user/proxy, responses from the server, and modifications made to the response
Shows a view of all the pages and links that have been identified through the course of the analysis.
Analyses the HTML responses for Scripts, comments and Forms
Presents scripts, comments and forms for human analysis and rating. (currently not editable, but coming)
The model no longer keeps conversations in memory all the time, but caches the last 10, and can read the others from the disk, if a save directory is configured. (This still needs some work).
Renders HTML responses to the screen. Be aware that this can resend requests to the server, since the EditorPane automatically follows links in HTML. If this bothers you, don't select the MIME tab of the response for those responses!
Shows images as an image, rather than a byte stream, under the MIME tab
Initial support for Cookie/Sessionid analysis - present all requests that resulted in a cookie being set, allow the operator to select one to replay, then retrieve an amount of cookies. The character set of those cookies will then be analysed to determine patterns, etc. Currently retrieval (of cookies only) and conversion to Integer is functional, other functionality is still coming.
Fuzzer support. URL's that have parameters associated with them are highlighted, paramater combination permutations are listed, individual parameters and previously seen values are presented, and can be replaced with instances of a "fuzzstring" read from a file. Multiple requests are sent to the server, trying each fuzz string in turn. Analysis of responses for error messages, etc is still coming.

Exodus - a Web Application Review tool for Java

Exodus is no longer under development

Blurb

Compatibility

Status

Features

Screenshots

Credits