Suru is a man-in-the-middle (MITM) proxy that sits between the user's browser and the web application. It was written in the early days of web application hacking and has since been deprecated in favour of more modern tools. The source is available for download. It receives all the requests made by the browser and records it. The requests can be modified in any way and replayed. Suru not only catches requests that were made by the user, but also requests that use the IE object, such as rich applications using web services, MSN ads, Google Earth requests, application auto-updates etc. The proxy understands multipart POSTs (MPPs) and XML POSTs (used for web services).

Source code available at GitHub.

Web application fuzzer

Suru gives the analyst the ability to fuzz any part of the HTTP request. This obviously includes GET and POST parameters, but can also be extended to Host:-fields, Content-length: etc. The analyst can choose to fuzz any point of the HTTP request header or body. These Fuzz control points can be fuzzed with any value - and Suru includes some sample fuzz strings by default. After fuzzing, the analyst can choose to "auto group" the responses. This means that the application will compare the response to a base response (similar to what CrowBar does) and automatically group the responses according to its difference to the base response. In simple terms, that means that Suru will tell you how many different responses were received, with slightly different responses (e.g. when the response only differ by one character) grouped together. The analyst has the ability to set the tolerance of this grouper and the granularity of the grouping.

Reconnaissance engine

The SensePost Suru web proxy has the ability to perform the same type of "back-end" functionality as Wikto has. But it goes one step further: As you browse, Suru automatically detects when a new directory is used (e.g. when the user surfed to http://abc_corp/abc/ the directory /abc/ is automatically searched). This means that, as the analyst is surfing the application, Suru will learn more and more about the application and perform more in-depth discovery of the site. This smart discovery includes functionality like automatically searching a known file name with all extensions (nice for finding abc_corp_login.old), and using known directory names in future searches (e.g. when /abc/ was found it would search future directories also for /abc/ - thereby also finding /cgi-bin/abc/ automatically).

Ease of use

Sounds interesting. Is it free?

Yes. Suru's source code is available under a 2-clause BSD license.