Suru is a man-in-the-middle (MITM) proxy that sits between the user's browser and the web application. It was written in the early days of web application hacking and has since been deprecated in favour of more modern tools. The source is available for download. It receives all the requests made by the browser and records it. The requests can be modified in any way and replayed. Suru not only catches requests that were made by the user, but also requests that use the IE object, such as rich applications using web services, MSN ads, Google Earth requests, application auto-updates etc. The proxy understands multipart POSTs (MPPs) and XML POSTs (used for web services).
Source code available at GitHub.
Web application fuzzer
Suru gives the analyst the ability to fuzz any part of the HTTP request. This
obviously includes GET and POST parameters, but can also be extended to
Content-length: etc. The analyst can choose to fuzz any point
of the HTTP request header or body. These Fuzz control points can be fuzzed
with any value - and Suru includes some sample fuzz strings by default. After
fuzzing, the analyst can choose to "auto group" the responses. This means that
the application will compare the response to a base response (similar to what
CrowBar does) and automatically group the responses according to its difference
to the base response. In simple terms, that means that Suru will tell you how
many different responses were received, with slightly different responses (e.g.
when the response only differ by one character) grouped together. The analyst
has the ability to set the tolerance of this grouper and the granularity of the
The SensePost Suru web proxy has the ability to perform the same type of
"back-end" functionality as Wikto has. But it goes
one step further: As you browse, Suru automatically detects when a new
directory is used (e.g. when the user surfed to
/abc/ is automatically searched). This means that, as the analyst
is surfing the application, Suru will learn more and more about the application
and perform more in-depth discovery of the site. This smart discovery
includes functionality like automatically searching a known file name with all
extensions (nice for finding
abc_corp_login.old), and using known directory
names in future searches (e.g. when
/abc/ was found it would search future
directories also for
/abc/ - thereby also finding
Ease of use
- Suru was written in-house by SensePost. We perform hundreds of web application assessments every year and Suru is thus a web proxy written by people that use web proxies every day. Some of our favourite features include: The ability to save and load sessions.
- Requests that were edited are marked so you can easily distinguish them from normal requests.
- There is Search and Replace on both outgoing and incoming streams (with the ability to also change binary streams).
- We have one-click directory and file discovery.
- The ability to update file names, extensions and directory names online.
- There is a Fuzz-String editor within the application so you don't need to go and find it on the file system.
- The tools section gives MD5 and SHA-1 hashes, base 64 encoding and -decoding and hex, all with one click.
- The interface shows number of POST and GET parameters for every request so you don't need to go and find where you actually submitted information.
- There is automatic relationship discovery, which compares all parameter with the SHA1, MD5 hashes, base 64 encoded -decoded representation of all the other parameters to see if there is a correlation.
- Support for upstream proxies.
- Support for response timing analysis.
Sounds interesting. Is it free?
Yes. Suru's source code is available under a 2-clause BSD license.