What's Up With Rest

Changes & Improvements

Mon Jan 30 2017 12:52:26 GMT+0000 (GMT)

The current version of Rest comes with several nice little features which we believe you will fell in love with. Needless to say, these features are not just available to Rest but also to the whole stack of applications that utilise our core libraries, including but not limited to HTTPView. So, without further ado, here they are.

Cross-site Request Forgery Generator

Those familiar with SecApps's stack of applications have most likely encountered a useful little tool called RForge, which was designed to convert traditional web requests (in any shape or form) into useful, ready to execute, Cross-site Request Forgery (CSRF) attack pages. Now you can take advantage of the CSRF generator by simply building the request into the http editor and extracting the code from the code viewer with a single click. There is no need to navigate elsewhere and utilise yet another tool.

This feature utilises the built-in code viewer, which currently supports transformers for HTTP, curl and now csrf. More languages and code transforms will be added really soon.

Pretty Print Everything You See

The Web is truly international but it comes with an extra cost - protocols, encodings and what not. Reading it all without any help could prove to be difficult to even the most hardcore hackers. Now you can utilise the built-in pretty printer not only to convert and format HTML, JavaScript, XML, CSS and much more but also parse and decode common types of transport encoding mechanisms such as urlencoding, multipart encoding and many more.

This page for example is prettified like this...

It is hard to see the difference but it is obvious that the first is compressed while the second is indented nicely so that it is readable by mere mortals.

The purpose of Rest is to learn the structure of the response and as such discover its characteristics and sometimes find bugs (especially the security ones). However, reading HTML is just no fun even when using the pretty printer as discussed above. This is why now you can find a built-in feature to discover all links and resources in HTML response pages. Now it is easy to find out what the web is really made of without becoming a human text parser.

Well, there is nothing wrong to be a human text parser but I rather be a security researcher and leave the mundane jobs to computers. And that is how we roll.

Bult-in Forms Extractor

Last but not least, we have provided a built-in forms extractor so that you never have to look at the HTML source again in order to jump onto next request. Forms my look trivial but they do come with their own caveats and who better to deal with all that mess than our internal spider engine that is fully loaded with all the tools necessary for the job.

So now it is trivial to find out things that end up being CSRF-able. Routers beware!

There you have it - 4 useful features that shape the next fundamental stage of development of our information security toolkit, which we hope you find as useful for discovering security bugs as pretty much for doing anything else HTTP and web related. We are committed to make it the best so tune in for more updates on our twitter feed.

Comments Powered ByDisqus