Hi jahboite:
Thanks for the post.
Additionally I contacted the developer for CAL9000 and he emailed me back the following:
"The HTTP Request and Response pages are probably the most complex features of the tool, so don't feel bad if you are having some issues. It really isn't a true proxy (where you can intercept and edit requests/responses), but I'm kicking around some ideas for embedding a server in the client, which may make things interesting for the future.
Let's start with an easy request just to confirm that it is working. On the HTTP Requests page, at a minimum you need to supply a Method(GET, POST etc.), a Schema(http://, https:// etc.) and a hostname(www.cnn.com). So let's supply those values:
1) For the Method dropdown box, select GET
2) For the Schema dropdown box, select http://
3) For the Hostname(the text box right next to the Schema), type in www.cnn.com
In the lower left-hand area of the page, there is a button labeled Send This Request. Click on it.
OK, so what happened? The messages on the top should say Processing, then Request Complete, then Save Successful. The History dropdown box in the lower middle of the page should have a new number added to it(like 1192368756903 - it is a timestamp).
To view the Response, first click on the HTTP Responses tab at the top of the page. Now, click on one of the numbers in the History dropdown box(they are the same numbers as on the HTTP Requests Page). The number at the top of the lists is the latest response. The text fields and textareas of the page should be automatically populated with the response info. Does this work for you? Let me know and we can proceed from here.
Good luck!
Chris
"
Main Topics
Browse All Topics
by: jahboitePosted on 2008-05-16 at 17:08:38ID: 21587447
Hi there.
CAL9000 works as a Web Proxy. Once you've set-up your web browser to use the CAL9000 web proxy, it will show you the traffic passing between your web-browser and the web-site you're testing. This allows you to
a) see what happens when a browser makes an HTTP(S) request and what happens when the Web server responds.
b) affect changes to the requests that aren't normally possible with a web browser
c) manually test websites methodically in a structured and repeatable manner.
It's use requires knowledge of the vulnerabilities you want to test for and how to perform those tests. Once you have this knowledge, it will become very clear how to use the tool.
I suggest you have a look at installing WebGoat
http://www.owasp.org/index
This is a web server you'd install on your own machine which is vulnerable by design in order to teach you about certain vulnerabilities. Read up on those vulnerabilities and how to test for them and you'll soon have enough knowledge to test your form with CAL9000 or any of the various webappsec testing tools.