WATOBO: The Web Application Toolbox!

Think web application penetration testing and tools like Burp Suite, Fiddler and the likes. Now, you can also start thinking of WATOBO, the Web Application Toolbox! Why, you will come to know as you read this write-up!

This tool was presented at the recently held OWASP-Stuttgart in April 2010! The Web Application Toolbox has been programmed in such a way so as to enable security professionals help perform highly efficient (semi-automated ) web application security audits. The author Mr. Andreas Schmidt, is convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.
The working of this tool is similar to WebScarab, Paros or Burp in a sense. It has a good GUI and also supports a command line input. Also, since it is semi-automated, it does not actually need to be adjusted for optimum results and correctly configured. Human intervention will obviously do good over a completely automated process. It can perform two types of checks – active and passive. Passive checks analyze data for normal browsing, including but not limited to cookie security related operations. Active checks generate questions that can be used for while say – SQL injection checks or other checks. Other than these, no additional requests are sent to the application!

What really bought us in for this tool is session-management which any free tool lacks! Burp Professional has it, but it is not free. The same with NetSparker. Also, these tools often have only limited automated functions. Customizing paid tools is not easy either. Not this one. Another good thing about this tool is that it can be quickly adapted to new requirements. In short with this tool, you can enjoy benefits of both worlds manual and automatic tools combined!

Functions of WATOBO:

• Supports session management.
• Detects logout and automatically takes a re-login.
• Supports filter functions
• Inline-Encoder/Decoder
• Includes vulnerability scanner
• Quick-scan for targeted scanning a URL
• Full-scan to scan a whole session
• Manual request editor with special functions
• Session information is updated
• Login can be done automatically
• Transcoder
• URL, Base64, MD5, SHA-1
• Interceptor
• Fuzzer
• Free, Stable and Open source!
• Script code easy to understand
• Easy to extend / adapt
• In real-world scenarios tested and developed
• Speed / usability
• Active and Passive checks

A sample screen shot of the tool:

This tool has been programmed in FxRuby which some people might not be open to work with. It will support most Windows operating systems. *Nix compatibility has not been checked or verified by us. But, the language as such supports most *Nix flavours. Other than that, it is pretty much set to be one of the top free web assessment tool. Just look at the road map that the author has planned:

• Extension of check-modules – e.g. enumeration checks (directories, file extensions ,…)
• Integration of other open-source tools such as Nikto
• WebServices / SOAP support
• Expansion of the functions / GUI

At less than 300 KB download for this tool, you sure can give it a try just like we did and were VERY impressed by this tool. Download it’s current version, which was released about 20 hours ago – watobo version 0.9.1-95 here. A set of videos that deal with the application installation, use and performing a full scan can be found here.