공식 명칭은 "OWASP Mantra Security Toolkit"
OWASP Mantra 는 Penetration Testing 을 위한 종합 툴 모음이라고 할 수 있다.
현재 버전은 OWASP Mantra Security Toolkit 0.92 beta 이며 코드네임 Janus 라 한다.
OWASP Mantra 는 Firefox 18 엔진을 기반으로 하고 있다.
어떠한 Security Tools 이 있는지 살펴보자
Information Gathering
|
|
Editors |
| Flagfox
Displays a flag icon indicating the current webserver's physical location with many additional features.
|
|
JSView
Get straight access to scripts and stylesheets included in the current web page.
|
|
PassiveRecon
Perform passive discovery of target resources utilizing publicly available information.
|
|
Wappalyzer
Uncovers underlying technologies used on websites like CMS, e-commerce systems, JavaScript frameworks, analytics tools etc..
|
|
View Dependencies
Shows you all the files which were loaded to show the current page.
|
|
Link Sidebar
View, search and test hyperlinks in a web page.
|
|
JSView
Get straight access to scripts and stylesheets included in the current
web page. View the source code external stylesheets and javascripts.
Firebug
Edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
|
| Proxy |
| HTTP Fox
A built in local proxy for analyzing traffic.
|
|
FoxyProxy
A proxy management tool with ability to switch between multiple proxies with few clicks.
|
|
Proxy Tool
A proxy management tool with lots of additional features to enahnce the privacy.
|
|
Application Audting
|
Network Utility
|
| Hackbar
Simple security audit / Penetration test tool.
|
|
RESTClient
Visit and test RESTful/WebDav services.
|
|
Tamper Data
Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.
|
|
Live HTTP Headers
View HTTP headers of a page and while browsing.
|
|
RefControl
Control what gets sent as the HTTP Referer on a per-site basis.
|
|
User Agent Switcher
Various web developer tools on browser.
|
|
Web Developer
Various web developer tools on browser.
|
|
DOM Inspector
Inspect and edit the live DOM of any web document or XUL application.
|
|
Inspect This
Inspect the current element with the DOM Inspector.
|
|
Form Fox
Displays the form action, the site to which the information you've entered is being sent.
|
|
SQL Inject Me
Test for SQL injection vulnerabilities which can cause a lot of damage to a web application.
|
|
XSS Me
Test for XSS vulnerabilities which can cause a lot of damage to a web application.
|
|
Cookies Manager+
View, edit and create cookies.
|
|
Firecookie
View and manage cookies.
|
|
Autofill Forms
Autofill Forms enables you to fill out web forms with one click or a keyboard shortcut.
|
|
Cookie Monster
Cookie Monster provides proactive cookie management on a site or domain level basis, including 3rd party cookies.
|
|
Fireforce
Brute-force attacks on GET or POST forms.
|
|
Groundspeed
Groundspeed is an add-on that allows security testers to manipulate the
application user interface to eliminate annoying limitations and
client-side controls that interfere with the web application penetration
tests.
|
|
Http Requester
A tool for easily making HTTP requests (GET/PUT/POST/DELETE), viewing the responses, and keeping a history of transactions.
|
|
Modify Headers
Add, modify and filter the HTTP request headers sent to web servers.
This addon is particularly useful for Mobile web development, HTTP
testing and privacy.
|
|
Poster
A developer tool for interacting with web services and other web
resources that lets you make HTTP requests, set the entity body, and
content type.
|
|
| FireFTP
FTP/SFTP Client which provides intuitive access to FTP/SFTP servers.
|
|
SQLite Manager
Manage any SQLite database on your computer.
|
|
FireSSH
SSH Client.
|
|
DNS Cache
Allows you to disable and enable the DNS Cache of Firefox.
|
|
HTTP Fox
Monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers.
|
|
| MISC |
| Greasemonkey
Customize the way webpages look and function. A userscript manager for Firefox.
|
|
Greasefire
Automatically finds Greasemonkey scripts on Userscripts.org.
|
|
CacheToggle
Disable and optionally clear the browser cache with the flick of a switch.
|
|
URL Flipper
Easily increment or decrement a portion of a URL without having to manually edit the text in the Location Bar.
|
|
Event Spy
DOM Event spy addon. Lets you watch JavaScript events as they occur.
|
|
Stacked Inspector
Switch DOM Inspector to an over/under vertical layout instead of the usual side-by-side panel layout.
|
|
Scriptish
The greatest user script engine on the Internet (a fork of Greasemonkey).
|
|
Session Manager
Session Manager saves and restores the state of all windows. It can also
automatically save the state of open windows individually.
|
|
Fire Encrypter
Encrypt, decrypt and hashing functions utility.
|
|
DownThemAll
An easy to use and fucntional download manager.
|
|
Application Auditing
|
| Websecurify
Websecurify is a powerful, cross-platform web security testing technology designed from the ground up with simplicity in mind.
|
|
Ra.2
Blackbox DOM-based XSS Scanner.
|
|
Ref Spoof
Easy spoofing of the URL referer (referrer) featuring a toolbar.
|
|
NoRedirect
Take control of web page redirects for fun and profit.
|
|
Mantra 뿐만 아니라 Penetration Testing 에 대한 좋은 공부가 될만한 서적으로는
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
가 있다.
OWASP Mantra 는 Firefox 를 기반으로 하기 때문에, 웹브라우저로 Firefox 를 사용할 경우 기본적으로는 동시에 사용이 안된다.
OWASP Mantra 와 Firefox 를 함께 사용하는 방법은
OWASP Mantra 또는 Firefox 의 바로가기를 수정하면 되는데,
OWASP Mantra 의 실행파일의 바로가기를 만든 후, 바로가기 파일의 속성에서 대상 부분을 수정하면 된다.
변경전 : "C:\OWASP Mantra\MantraPortable\MantraPortable.exe" //C:\OWASP Mantra\MantraPortable
변경후 : "C:\OWASP Mantra\MantraPortable\MantraPortable.exe" -no-remote
Mantra 의 바로가기를 수정한후, 기존의 Firefox를 먼저 실행하고나서 Mantra의 바로가기를 실행해야 한다.
또는,
이미 Firefox 를 작업표시줄에 핀 고정을 한경우라면, 핀고정된 아이콘의 속성을 변경하면 되는데
작업표시줄 핀고정 아이콘의 위치는 아래와 같다.
C:\Users\bluesky\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
위의 위치로 이동후, 'Mozilla Firefox' 의 속성을 클릭후,
대상(T): 부분을 아래와 같이 수정하면 된다.
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -no-remote
