The core components are Fiddler2, sessions, Hardanger and the fuzzing engine. The Fiddler2 and sessions component are part of the Fiddler2 software and will be used as a foundation for Hardanger.

Fiddler2 builds the foundation upon which all web application penetration testing tools are built. This foundation is the proxy functionality. Fiddler2 has the ability to intercept all HTTP and HTTPS requests between clients and servers. Fiddler2 installs itself as a proxy at the operating system level so any application that is compatible with the system proxy configuration will relay their traffic thru fiddler. This includes virtually all modern web client application including all major web browsers. Fiddler also has the ability to inspect HTTPS traffic that has been secured with SSL/TLS by installing a trusted certificate on the machine running Fiddler2. This will give Hardanger the ability to monitor both HTTP and HTTPS traffic. Fiddler2 is already widely popular among windows web application developers so targeting this audience for Hardanger is not be farfetched.

A second component that will be leveraged from Fiddler2 is its session handling mechanism. Fiddler2 captures and records every request and response in a database with full header and connectivity information. Hardanger will leverage the session framework built in Fiddler2 to select and pass session information to its features such as the fuzzer.

The Hardanger add-on itself will manage sessions and each feature will own graphical representation of itself the UI. It will also be responsible to collect and report on the results provided by each feature. All the plumbing and infrastructure components of Hardanger will be built into this layer. Hardanger will be the entry point into the codebase for this project.

The final piece that is in scope for the first release of this project will be a basic fuzzing engine. This basic fuzzer will implement a standard interface that can easily plug into the Hardanger platform. Eventually, it will be trivial to add new types of fuzzer that implement this same interface. As a proof of concept and for the sake of simplicity, the initial fuzzer will be a simple algorithm that generates random data within a user configuration minimum and maximum length. It will be the responsibility of this fuzzer to create http and https requests to the server repeatedly and record the results for later analysis. This fuzzer will support the fuzzing of both HTTP GET and POST verbs.

Last edited Feb 2, 2012 at 12:25 AM by mercjr, version 1


No comments yet.