Using Burp Proxy
Burp Suite allows you to combine manual and automated techniques to enumerate, analyze, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
- Java, available for free from : http://java.sun.com/j2se/downloads.html
- Copy of Burp Suite, free version : http://portswigger.net/burp/download.html
Burp Suite contains the following key components:
Proxy :- It operates as a man-in-the-middle between your browser and the target application. It is an intercepting proxy, which lets you inspect and modify HTTP/S traffic between your browser and the target application.
Spider :- An application-aware spider, for crawling content and functionality. It is a tool for mapping web applications by actively crawling the application, by automatically following links, submitting forms, and parsing responses for new content.
Scanner :- Available in paid version only. It is an advanced web application scanner, for automating the detection of numerous types of vulnerability. Unlike other scanners, Burp gives you fine-grained control over which items get scanned, and gives you immediate feedback and results for each scanned item. Depending on your requirements, you can use Burp Scanner to perform; passive scanning, active scanning and directed scanning.
Intruder :- An intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities. It is a tool for automating customized attacks against web applications, to identify and exploit all kinds of security vulnerabilities.
Repeater :- Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses. It is best used in conjunction with the other Burp Suite tools. For example, you can send a request to Repeater from the target site map, from the Burp Proxy browsing history, or from the results of a Burp Intruder attack, and manually adjust the request to fine-tune an attack or probe for vulnerabilities.
Sequencer :- Sequencer is a tool for analyzing the degree of randomness in security-critical tokens issued by an application. It is typically used to test the quality of an application’s session tokens or other items, such as CSRF nonces, on whose unpredictability the application depends for its security.
Decoder: Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
Comparer: Comparer is a simple tool for performing a comparison between any two items of data. In the context of attacking a web application, this requirement will typically arise when you want to quickly identify the differences between two application responses , or between two application requests.
PS:- Click on enabled components for detailed information on its working, as per my knowledge.