CAT provides the ability to test a web application for all types of vulnerabilities from SQL injection to reverse proxy bypass. It allows for traffic between a web browser and a web server to be intercepted and altered. Requests can then be repeated within CAT allowing for all aspects of the request to be altered. Requests can be fuzzed using a range of different fuzzing algorithms including brute forcing, injection attacks and scripted attacks; it also provides a facility to fuzz forms with CSRF tokens. Authorisation within an application can easily be checked using two synchronised web sessions from one user type to another
Some highlights of CAT:
- CAT uses Internet Explorer's rendering engine for accurate HTML representation
- It offers integrated SQL Injection and XSS Detection
- Advanced Authentication and Authorisation using Synchronised Browsing
- Silverlight WCF Support
- Faster performance due to HTTP connection caching
- SSL Version and Cipher checker using OpenSSL
- Greater flexibility for importing/exporting logs and saving projects
- Tabbed Interface allowing for multiple tools at once e.g. multiple repehaters and different logs
- The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
- Ability to extend CAT using Addons with publicly available documentation and sample code
- MONO Support for Linux and OSX (Currently in Beta).
- Scriptable fuzz cases.