afongen
Sam Buchanan's weblog.

Web App Security Assessment with LiveHTTPHeaders

Shreeraj Shah has just published Assessing Web App Security with Mozilla over on ONLamp.com. It's really more about introducing LiveHTTPHeaders than the guts of a security assessment, but it does point the way. Not unlike the talk I gave at this spring's MnSCU IT conference (handouts). I like LiveHTTPHeaders for just this purpose, I use it all the time. (In fact, I used it just yesterday when reviewing PHPSurveyor, an app that has its share of problems.) More and more, though, I find that I'm using Fiddler, at least when I'm on a Windows box and don't have to deal with HTTPS. Fiddler offers a lot of detail that I find useful.

Still, I do fire up LiveHTTPHeaders when I just need a quick overview of what's happening and want to manipulate requests. I also use it to introduce developers to HTTP. Too often I find that developers don't have a solid understanding of HTTP basics, which has a direct impact on their ability to write secure web applications.

LiveHTTPHeaders is a fine tool, and Shreeraj Shah's article is a good introduction. If you've never used it, a few minutes reading that will get you started and point you in the right direction. And maybe give you a little insight into the sorts of things an attacker can do quite easily.