Exodus - a Web Application Review tool for Java
Exodus is no longer under development
Exodus is deprecated! Please use WebScarab rather than Exodus. Thanks! ;-)
For those of you who have been using Exodus because of its (inferior) fuzzing support, PLEASE try the new releases of WebScarab. Fuzzing support has been added to WebScarab, and it is a LOT more powerful and flexible than Exodus
Exodus is derived from a number of sources. The original inspiration came from httpush, by Lluis Mora Hidalgo, which offered the ability to intercept HTTP and HTTPS connections, display the requests, and modify them on the fly.
I felt that the HTML interface to the proxy was a bad choice, since the site I was testing used forms in non-resizable frames, and I couldn't get to the Submit button to tell httpush to continue!
As a result of my frustration, I changed httpush quite radically, creating "mangle.pl" so that it would save the conversations, and implemented a Perl/Gtk interface to review the information seen. I ended up writing a number of tools, that followed the Unix philosophy of "one tool to do a simple thing well". Unfortunately, none of them really did their jobs well, and they didn't integrate well, either.
Mangle was also not very portable, using the Perl Crypt::SSLeay and Net::SSLeay bindings to OpenSSL, which I had difficulty compiling on Win32, and needing a bunch of modules from CPAN, and other places. It was a real disaster trying to install it on another machine, even for me as the creator. I eventually decided to re-implement it in Java.
Exodus is the Java version of mangle.
Exodus is merging with the OWASP project's WebScarab to produce a best-of-breed web application security audit tool. As a result, development on Exodus itself has halted while WebScarab is designed, and brought up to the level of Exodus (in terms of features, not code quality! :-) All development is happening in WebScarab now.
Exodus has the following features:
- Proxies HTTP and HTTPS connections (SSL man in the middle). IE and Mozilla/Phoenix work, apparently Konqueror uses a different mechanism to negotiate SSL proxy connections.
- supports upstream HTTP and HTTPS proxies. No-Proxy support is not yet implemented.
- support Basic-Auth and Proxy Basic-Auth (NTLM support will come if there is a need for it, I'm sure!)
- Supports interception and modification of requests and responses (selectable, based on the request method)
- Optionally transforms all hidden FORM fields into visible and editable fields
- Saves the requests, responses and any descriptions to the filesystem for further analysis, or evidence.
- Shows a log of requests received by the proxy, modifications made by the user/proxy, responses from the server, and modifications made to the response
- Shows a view of all the pages and links that have been identified through the course of the analysis.
- Analyses the HTML responses for Scripts, comments and Forms
- Presents scripts, comments and forms for human analysis and rating. (currently not editable, but coming)
- The model no longer keeps conversations in memory all the time, but caches the last 10, and can read the others from the disk, if a save directory is configured. (This still needs some work).
- Renders HTML responses to the screen. Be aware that this can resend requests to the server, since the EditorPane automatically follows links in HTML. If this bothers you, don't select the MIME tab of the response for those responses!
- Shows images as an image, rather than a byte stream, under the MIME tab
- Initial support for Cookie/Sessionid analysis - present all requests that resulted in a cookie being set, allow the operator to select one to replay, then retrieve an amount of cookies. The character set of those cookies will then be analysed to determine patterns, etc. Currently retrieval (of cookies only) and conversion to Integer is functional, other functionality is still coming.
- Fuzzer support. URL's that have parameters associated with them are highlighted, paramater combination permutations are listed, individual parameters and previously seen values are presented, and can be replaced with instances of a "fuzzstring" read from a file. Multiple requests are sent to the server, trying each fuzz string in turn. Analysis of responses for error messages, etc is still coming.
Take a look at the following screenshots to get an idea of how Exodus works:
Exodus is © 2003 by Rogan Dawes <firstname.lastname@example.org>