Hardanger is an Open Source web application penetration testing tool led by security researchers from SecurityWire. The project aims to bridge the gap between current open source web application testing tools commonly used in a Linux environment and bring the same level of tools to native Windows based platforms. Hardanger aims to deliver a user friendly experience for semi-automated web application penetration testing by building tools on top of the excellent Fiddler2 web debugger.
The project deliverable is a Fiddler2 (http://www.fiddler2.com) add-on dll written in C# that is easily installed using a .msi installer and a standalone application is also be available for users that do not want the integrated Fiddler2 experience. Hardanger has been architected so it can be easily expanded to add other functionality. The first version only includes a simple HTTP(S) GET and POST parameter fuzzer but will has built a foundation where it is trivial to plug in additional fuzzers and detection engines as well as other features. Once server fuzzing is perfected and state of the art, this project will continue to add new features such as a web browser fuzzer, brute force tool, manual tampering, crawler, passive vulnerability detection, recon tools, etc.
Current Features
- Native Windows feel via Windows Presentation Foundation
- Can run as a Fiddler2 add-on or standalone
- ClickOnce installer with automatic updates (standalone version)
- Context tab allowing inspection of full HTTP requests
- Server fuzzer tab to configure and launch the server fuzzer
- Basic random fuzzer generates random strings of UTF8 characters of random lengths
- Non HTTP 200 detection engine
- Results window keeping track of successful detections
- Ability to review requests/responses in the results details window