October 21, 2005
Shreeraj Shah has just published Assessing Web App Security with Mozilla over on ONLamp.com. It's really more about introducing LiveHTTPHeaders than the guts of a security assessment, but it does point the way. Not unlike the talk I gave at this spring's MnSCU IT conference (handouts). I like LiveHTTPHeaders for just this purpose, I use it all the time. (In fact, I used it just yesterday when reviewing PHPSurveyor, an app that has its share of problems.) More and more, though, I find that I'm using Fiddler, at least when I'm on a Windows box and don't have to deal with HTTPS. Fiddler offers a lot of detail that I find useful.
Still, I do fire up LiveHTTPHeaders when I just need a quick overview of what's happening and want to manipulate requests. I also use it to introduce developers to HTTP. Too often I find that developers don't have a solid understanding of HTTP basics, which has a direct impact on their ability to write secure web applications.
LiveHTTPHeaders is a fine tool, and Shreeraj Shah's article is a good introduction. If you've never used it, a few minutes reading that will get you started and point you in the right direction. And maybe give you a little insight into the sorts of things an attacker can do quite easily.