SPI ToolKit Puts Web Apps to the Test

SPI Dynamics utilities assess Web application security by manipulating, breaking and otherwise abusing them.

SPI Dynamics Inc. is opening up its toolbox and giving customers access to a wide range of utilities that are meant to manipulate, break and otherwise abuse Web applications.

SPI ToolKit is a grab bag of the kind of toys that people—good and bad—use to break into applications to probe for common weaknesses, as well as lesser-known vulnerabilities.

SPI Dynamics has included most of these utilities in recent releases of its WebInspect product, but the company found that there was a separate population of penetration testers interested in the tools who didnt necessarily have a use for the full-blown WebInspect release. "A lot of people end up using shareware or free tools that might have bugs, and its hard to get updates for them," said Kevin Overcash, vice president of product management at SPI Dynamics, in Atlanta.

SPI ToolKit comprises 10 utilities, including a tool for analyzing cookies for predictability, an HTTP editor, a tool for brute-forcing user names and passwords, and a tool capable of automating the exploitation of SQL injection flaws.

Perhaps the most intriguing and potentially dangerous of the tools is SQL Injector, which does exactly what its name implies—performs automated SQL injection attacks against selected targets. Once the tool identifies all the vulnerable portions of the application, it extracts information on the flaws and exports that information to a separate database for further analysis.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. "This is the one that makes every developer gasp," said Overcash. Although SQL injection is among the more common attacks against Web applications, Overcash said many developers and even some security specialists do not fully understand the technique and its implications.

The other unique portion of SPI ToolKit is Cookie Cruncher. Penetration testers can point this utility at a Web site and download several sample cookies. The tool analyzes the cookies for common security weaknesses, such as predictable identification numbers and other problems.

The company is aware of the potential for these tools to be misused and has decided to license each version of ToolKit on an individual basis to help prevent crackers from getting their hands on it.

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page