Dawes.za.net > Rogan > Exodus > Howto.php

Exodus Home | Other tools | HowTo | Licence | Changelog | Download

Static analysis

Use your favourite web scanner tools to spider/scan the target for known vulnerabilities and misconfigurations. If they support an upstream proxy, consider running them through Exodus, for retention and analysis of pages returned.

Guided Application Walkthrough

If you have access to someone who intimately knows the application, get them to walk through the application, and exercise as much functionality as possible. Take notes while this is happening (e.g. request 1 is submit logon credentials, request 10 is log off, etc)

Dynamic analysis

This is an iterative process.

• Spider the site to fetch any links that have not been followed.
• Review HTML seen for Script fragments, FORMs and Comments that could indicate a vulnerability.
• Scripts could indicate client side validation that may not be duplicated on the server.
• Forms indicate the parameters that an URL accepts. Try to add and remove parameters to see how the app behaves.
• Comments may include information about how the app works, links to otherwise unlinked applications, or even usernames and passwords!
• Try submitting requests when the user is not authenticated.

Essentially, try anything and everything you can think of to cause the web app to misbehave.

See the OWASP Project for more information.

Running Exodus

You will need a Java virtual machine. Exodus has been developed using version 1.4.0 of Sun's JVM, and requires classes provided natively with 1.4 that are not provided with earlier versions of the JRE. In particular, it requires JSSE and the java Logging classes, but may also require others, such as the Regex stuff. Easiest is just to get a recent JRE

I suggest that you use a console window to run Exodus. Even though there is a log window, the logging has been redone to use the java Logging API, and has reverted to logging to STDOUT until I implement a proper log handler to write it into the log window. Even then, some of the lower level classes still log to STDOUT, and this output would be lost if it was run without a console. Exceptions are also dumped to STDOUT, and could explain some mysterious loss of functionality :-)

Run exodus with a command like:

java -jar exodus.jar directoryname

where directoryname is a directory that exodus should use to store the conversations seen. If no parameter is passed, exodus will not save any analysis at this point. The directory need not exist, but the name should end with a slash (appropriate for the platform)

Configure the port that the proxy should listen for incoming requests on. You can also configure upstream proxies if necessary, through the menu option. Press Start once the proxies are configured to your liking.

Configure your browser to use Exodus as an upstream HTTP and HTTPS proxy, using the settings from the previous step. You may also be interested in an automatic proxy configuration script that only routes requests for a specific site via Exodus, and uses your preferred proxies for connections to other sites. This is useful to allow you to browse the web in general, at the same time, without cluttering up the Exodus logs, and without having to remember to change your proxy settings each time.

If desired, you can intercept the requests and responses in the GUI, and edit them. This is achieved via the Proxy plugin, "Intercept" tab. Select the check boxes as desired.

Surf away to your hearts content. You will see all the requests and responses that pass through the proxy in the Log View tab, and a view of the web site in the URLView tab.

As Exodus is developed further, you will be able to see attributes of a particular URL summarised in the URLView.

Credits

Exodus is © 2003 by Rogan Dawes <rogan@dawes.za.net>