OW.A.S.P. Announces Pantera
Dave G. | October 31st, 2006 | Filed Under: Industry Punditry
Got an email the other day about the release of another web application debug proxy (ala SpikeProxy/WebProxy/WebScarab). This one is called Pantera. It’s 100% python (last weeks Ruby, or so I hear), and built on top of SpikeProxy.
Pros
A modern looking UI. This is the most noticable thing about using Pantera, as compared to all of the other debug proxies. It is reasonably intuitive for this type of tool. Also, it’s brand new, so I suspect it will improve over time.
Session Support. Another feature that is indispensible for web app pen testing. You can create a session to store all of the results of an assessment. Also, storing everything to a database will make it easy to building a better reporting system than other tools out there.
Passive Analysis. While the analysis isn’t all that sophisticated yet, it is a nifty idea. You can flag pages or request that meet certain parameters. For example, flag pages that allow file uploads, have hidden parameters, or if cookies have the secure flag set.
Not written in Java. People are more likely to extend it.
Two Heavy Metal Bands in One Product Name. W.A.S.P. and Pantera.
Cons
Installing it is a little bit of a pain, as it requires some python dependencies, and MySQL 5.x using the old style authentication. This would be less painful if #2 also wasn’t a problem.
Documentation still needs a lot of work. Unless the installation goes flawlessly the first time, you are likely to have a hard time figuring out why things aren’t working. The error output isn’t very useful.
No fuzzing yet. I don’t know why this always ends up late on the laundry list of things to be implemented for a debug proxy. It is one of the few things that really makes life easier. It’s generally weak on features right now.
If they can keep momentum going, this will be an invaluable tool for people doing web app assessment work.
Jeremiah Blatz
October 31st, 2006 4:54 pmNon-b0rked URL:
https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=208668
Simon Roses Femerling
November 1st, 2006 10:36 amHi Dave,
I’m the author of Pantera and thanks for the review
Let me answer your points.
I’m know the installation is not the best and we are working on make it easier. For starters Pantera will be included in Backtrack Live CD and OWASP Live cd so there is not need to install Pantera
The reasong Pantera has not fuzzing capabilities is because we are currently working on an application scanning engine that will offer much more than just fuzzing and we want to do things right.
btw, Pantera has nothing to with the music band, Pantera is the spanish word for Panther
We plan to continue with the development and support to create a nice assessment that people can use.
Sincerely,
Simon Roses Femerling
Dave G.
November 1st, 2006 1:10 pmSimon:
Best of luck, I think you are off to a good start! Name the application scanning engine ‘Sepultura’ and I will give you a dollar.
dre
November 1st, 2006 3:44 pmoutside of fuzzing (which SPIKEProxy is great for) I see no reason to move from Burp. although Suru (SensePostResearch) looks interesting, certainly better than Pantera. i’d rather you plug that
Oliver Day
November 2nd, 2006 8:14 am“Not written in Java. People are more likely to extend it.”
This was my biggest gripe about WebProxy and thanks for pointing it out. The lack of fuzzing is a pretty big loss (for now) and if WebProxy were still in circulation I would prefer it for just this reason. But to tie my points together WebProxy lacked support for SOAP fuzzing and even when I was given the chance to add this functionality I didn’t because it was written in Java which I didn’t know and wasn’t inclined to learn.
p.s. Beansec III will be real soon, like 2 weeks or so. I’m thinking Nov 15th…
dr but not dragos
November 2nd, 2006 10:08 amI find Pantera suffers from the same things SpikeProxy does - namely a broken HTTP implementation. It chokes on many corner cases and is verrrry slow compared to most of its competitors. Burp, on the other hand is rock solid. More so than even the popular commercial offerings by Watchfire and SPI. (no surprise here). I also find the interface to Pantera no easier to navigate than SpikeProxy. And have you looked inside? Very Scary. (sorry dave a).
Also the mysql requirement is a deal breaker. Python’s got more than adequate bsddb support - a far easier prerequisite for most people to deal with.
Here’s wishing for a bare bones, easily extensible pure python tool along the lines of webproxy. Lets let Ruby live in the future, where it belongs.
Suru looks nice, and its refreshing to see that someone finally got the right idea about how to present fuzz results.
Dave G.
November 2nd, 2006 12:32 pmMy big issues with Suru are:
1) It’s not free
2) It’s not open source
3) It only runs on Windows
I haven’t looked at SpikeProxy in awhile, but from what I had remembered, Pantera was easier for me to navigate.
fuzzy engine
November 12th, 2006 7:53 amI successfully installed pantera (I’m one of those two or three) and after first-contact and quick testing realized that anybody can do an assesment. Off course, once the application is installed everything flows nicely, I mean, you have to look for open ports on your system to know where pantera is listening, and tu “guess” you can go to http://pantera once you have located the port.. from there.. you can do (pay attention) almost all the things you can do with your browser, even close it, and start a real scanner.
If we go beyond and see the code, well, better if we don’t.. but if we think about security, how will attack with a broken gun? I’ve discovered a new feature not included in the documentation (well.. many of the lost features not included, but specially one.. a not supposed to be there), feel free to download any file contained in the pantera directory, for example, the private certificate for the ssl communications or the stored data (and now I can’t remember if the configuration may be downloaded also).
Far away from being a serious project with a designed development plan, it looks more like another “test this crap “. And I wonder.. what will be finished first.. pantera or the fuzzy engine? or both? I mean, the crew working in the fuzzy engine is the same as the crew involved in pantera? is the fuzzy engine to be included in the pantera project? What are the other features of the fuzzy?
Do you have a project plan for all this? I woulnd’t like to waste my time closing to a project that’s more like to be abandoned soon or never finished than a really active one.
fuzzy engine
November 14th, 2006 7:57 amA little detail about the kind of develop revolving pantera..
When it was first named in this site, there was a very-really-fast answer from Simon about how the program nad the points stated by dave.. just in the 24 hours bag..
# Dave G. | October 31st, 2006
# Jeremiah Blatz October 31st, 2006 4:54 pm
# Simon Roses Femerling November 1st, 2006 10:36 am
altough, no answer about the bad critics, neither about the planning or evolving of pantera and it’s fuzzy.
Sounds more like an exhaustive googling about good critics -AKA test this crap-. In a real development plan a good project follow up and internet presence should be done in a regular way, accepting both, good and bad critics.
Simon, I just wonder you point about Pantera, as the developer, and I want to do here, as this is the place where first I heard of it.
Thanks in advance..
Simon Roses Femerling
November 14th, 2006 8:32 amDear Fuzzy Engine,
I haven’t answer faster your questions because as I didn’t know about your posts.
If you want fast answers, please, write to my email or Pantera Mailing list.
About Pantera development is going quite well and we are making progress but slowly. Yes we are working on a fuzzing engine, not related to OWASP fuzzy, and more interesting stuff but it will take time…
Sincerely,
Simon Roses Femerling
fuzzy engine
November 14th, 2006 9:51 amSo it’s ok.. I realized that you answer when you want, No problem, I will start my adventure mailing owasp with these topics.
I’m impressed you didn’t forward this conversation to the any link regarding answers, and pressume I’m the first quiestioning such things.. The more I close the darker it turns..
Thanks in advance, Simon, now, that you know the questions, feel free to do write the answers so when I ask you in owasp mailing list nobody get scared.. there you wouldn’t say I dind’t know about the question
I appreciate you effort to make a good (even if it’s slow) program.. once.. googling a little shows some more “test-this-never-finished-never-go-beyond-beta” projects than I’d spected.. Good luck!
Simon Roses Femerling
November 14th, 2006 10:30 amSure
Simon Roses Femerling
Leave a reply