WATOBO – The Web Application Security Auditing Toolbox


WATOBO – The Web Application Security Auditing Toolbox – is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits.

It is capable of passive as well as active scanning and this latest is its real value added. It enables to automatize the discovery of common vulnerabilities (XSS, LFI, SQL injections etc) in web applications.

WATOBO - The Web Application Security Auditing Toolbox

WATOBO works like a local proxy, similar to ZAP, Paros or Burp Suite but in Ruby, when the rest are pretty much in JAVA.

Features

  • WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
  • WATOB can act as an transparent proxy
  • WATOBO has anti-CSRF features
  • WATOBO can perform vulnerability checks out of the box.
  • WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
  • WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
  • WATOBO is written in (FX)Ruby and enables you to easiely define your own checks
  • WATOBO is free software ( licensed under the GNU General Public License Version 2)

Scanning/Active Checks


During a scan all selected active modules will be used to test the one or more chats (chat = request/response pair). The total amount of resulting requests is hard to predict because in most cases it depends on the number of parameters and the module itself. Here’s the list of the currently available active checks:

  • Server-Status page
  • Directory Walker
  • FileExtensions
  • HTTP Methods
  • Lotus Domino DB Enumeration
  • .NET Custom Error
  • .NET Files
  • Local File Inclusion
  • Crossdomain Policy
  • Basic JBoss enumeration
  • SAP ITS: Default Commands
  • SAP ITS: Default Services
  • SAP ITS: Service Parameters
  • SAP ITS: XSS
  • Siebel Applications
  • Error-based SQL-Injection
  • Time-based SQL Injection
  • Boolean SQL-Injection
  • Numerical SQL-Injection
  • XML-XXE
  • NextGeneration Cross Site Scripting Checks
  • Simple Cross Site Scripting Checks

You can download WATOBO 0.9.20 gem here:

watobo-0.9.20.gem

Or read more here.

Posted in: Hacking Tools, Web Hacking

, , , , , ,


Latest Posts:


tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.


Comments are closed.