Tools no image

Published on August 31st, 2011 | by NJ Ouchn


Watobo Version 0.9.7 Revision 544 available

Blackhat is a kind of place you can meet great dudes and buddies. A kind of place, you can recognize people with their badges and say : “Holy Sh…. that’s Andreas from Watobo. I use his tool in my web pentesting works”.  So today, i’ve just received a mail from Andreas about the latest Watobo version.

Andreas is a nice guy and talented hacker.



WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. We are convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.

Here’s a brief summary of its features:

  • Session Management; Login scripts, logout recognition, automated relogin
  • One-Time-Token support; for testing CSRF protected functions
  • NTLM-Authentication for servers and proxies
  • Active security checks: SQLi, XSS, LFI, DirWalker, HTTP-Methods, JBoss, SAP, …
  •  Passive checks/filters: Cookie-Options, Login-Encryption, DOMXSS, …
  •  Plugins: SSLChecker, FileFinder and Catalog-Scanner
  • Fuzzer: fuzz engine, e.g. for username enumeration or collecting cookies
  • Manual Request Editor: customize and send requests
  • Differ: diffing request/response pairs

= NEWS =
There are lots of new functions/features like:

  • MasterPassword for encrypting Proxy- and WWW-Auth-Passwords
  • Hotkey-Help: Press F1 to view all Hotkeys for the focused widget – Works in ManualRequestEditor, Interceptor, ChatViewers
  • Interceptor: Intercept Filters, Editor, Hotkeys – almost complete rewrite
  • Passive Module: ‘DOM XSS’ – checks for javascript code which manipulates DOM and may be misused for XSS
  • Passive Module: ‘Detect One-Time-Tokens’ – checks for parameters which may be used to prevent CSRF-Attacks
  • ManualRequest Following Redirects Automatically (optional)
  • ManualRequest: Added Hotkeys for ‘send’ (ctrl-enter) and transcoding ctrl-[shift]-b (base64), ctrl-[shift]-u (url)
  • ManualRequest: new Transform ‘Get -> Post’
  • TableEditor: Added Hotkeys; ctrl-[shift]-b (base64), ctrl-[shift]-u (url), ctrl-enter (send request)
  • Passive Module: ‘Detect Code’ – Now also checks for ASP-Snippets
  • ConversationTable: added SSL-Icon for encrypted chats
  • TextView: added Match-Navigation for ‘Highlight’- and ‘Grep’-Filter
  • One-Time-Token-Dialog: Target chat is also visible for OTT-pattern creation.
  • WATOBO-Logo: watobo-48×48.png for nice desktop shortcuts/launchers

More informationen as well as (new) video tutorials are available at the project page http://watobo.sourceforge.net



Tags: ,

About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"

Back to Top ↑