Downloads Plugins Frequently Asked Questions Installation Notes Free Web Application Security Papers Extra Files scriptArchieve.php area
Sleuth Stuff

Main Site
Best Viewed w/ IE5+

This page is about understanding what Sleuth is, and what it can do for you.

Sleuth was developed from my own personal need for a web application analysis tool. It represents the exact functionality I found necessary in the trenches of a security audit.

Sleuth puts a nice twist on efficiency of design and visual tools keeping a complete toolbox of testing aids at the intuitive auditors fingertips.

What is Sleuth? What can it do?

Sleuth is a manual research and exploration tool for web applications. It is not just one application, it is a complete toolbox of applications that come together to let you do some unique things.

Why has the design focused around manual tools?

Most auditing software has focused around automation and predefined scan patterns. They will typically have a large database of exploits or variables to try to inject to web scripts, and a long list of insecure files, default configurations etc to try to brute force away in their scan.

Sleuth breaks from this concept and focuses only on trying to give auditors the tools they need to manually disassemble the web application by hand and to efficiently test it in any manner they can conceive.

The reason I have made it with this focus, is that Web Applications can be extremely complex. HTML and Javascript have the capability to dynamically create and manipulate forms, FLASH and PDFs can also display and submit forms.

Automated tools have to be created smart enough to do almost impossibly complex things such as analyze embedded Javascript commands or parse non-native file types to really be able to be sure they are testing every aspect of the web application.

What if I select a combo box in a top frame, and Javascript changes the action of a form in the lower frame to submit to an alternative Search script?

I have not personally tested any of the commercial automated tools, but I would be quite impressed if they were able to pick up such an interaction and know of the existence of the alternative search script.

Another reason Sleuth exists is for research for creating new automation utilities and scripts. To test and debug theories, you need dynamic manual tools to test your ideas, catalog server interactions and explore what is going on in its most bare bones components.

Sleuth has been designed to take you right down to the foundation levels that web applications work at and strives to bring a new level of efficiency and capability to a greater audience, making such capabilities possible for all auditors and not just those who have the skills to develop their own proprietary tools, or are lucky enough to work for a company with such a framework already in place.

Two other key areas where Sleuth proves itself to be an invaluable resource are

  • Developer and Auditor training -
    Key concepts can easily and visually be shown any audience. Often with the student able to directly reproduce the simple steps shown to them.
  • Verifying Automated tools results -
    Efficiently dig and poke into any corner of the web application to see if an automated tool missed something, or to test the exposure of a vuln that may have been public for some time.

With that said, the next step is in understanding what tools Sleuth provides and just what it is capable of.

Sleuth is actually a framework of several tools, each of which has been highlighted below. In addition to the descriptions given here, each section title has been linked to a separate dedicated page on that tool which contains auxiliary information complete with product screen shots.

  • Main Application -

    Integrated IE web browser surrounded with an entire host of powerful examination and manipulation tools. With it you can:

    • get an efficient listing of all links, forms, script,frames etc in a web page
    • easily edit form elements, links etc of the page
    • interactively execute javascript commands with the document
    • +tons more

    The main application also has an integrated HTTP intercept proxy so that you can easily manipulate the raw headers sent to and from the browser. One key feature of the Intercept proxy is just how integrated it is with the application. In its configuration pane, you set breakpoints on common criteria. When a breakpoint is reached, you are automatically switched to the proxy window for the edit, after which you will be automatically switched back.

    The proxy breakpoints have been designed to be powerful and flexible, allowing you to hone in on exactly the events of interest with a minimum of back and forth between proxy and browser panes.

  • RawRequest -

    A Raw http client that allows you to build up a HTTP request manually. The wizard pane allows you insert a fully configured URL which you can then edit to your preference. The request can also be edited in the raw request pane which allows you total control over what you are sending to the server. After the request is sent the raw source returned is displayed in a nicely formatted syntax highlight display. You also have the option of viewing the source in an embedded browser window to easily view the entire page output as it was designed to be displayed. New versions of RawRequest currently out in the members section support SSL connections, as well as being able to save and restore saved requests and responses.

  • Sleuth Script -

    Sleuth script is a dynamic framework that allows you to dynamically automate your testing. Because it is based around common VBScript it is easily configurable and can be adapted for many test scenarios. The sleuth Script framework is built around a powerful set of libraries that handle all of the hard work such as saving and retrieving data from databases, sending raw http requests, writing data to files and more. Check out the Object browser to see all of the built in functionality. Sleuth Script can also be easily extended by custom developed ActiveX objects dynamically loaded at runtime through the use of CreateObject(). The Sleuth Script IDE can likewise also be extended allowing you to customize the intellisense menus to fit your preferences or even include new objects that you choose.

    The Sleuth Script IDE has been designed with as many efficiency tools as I could to help new coders learn it, and advanced coders be as efficient as possible. Current automated scripts include: directory bruteforcers, backup file brute forcers, basic auth bruteforcer, and webform brute forcer.

  • Sleuth Browser Extensions -

    The browser extensions package aim to integrate a handful of tools right into the standard IE browser. They add functionality such as "Edit Source", and "Edit Forms" options right into the IE right click menus. Other noteworthy functionality includes browser toolbar buttons that will Enable Right Click on any webpage you are viewing, A JavaScript console so you can dynamically execute scripting commands on the current page and more. (JS Console is great for analyzing pages with its extended logging and analysis routines)

  • Sleuth Lite -

    Based on the main Sleuth functionality, but does not contain its own browser window. Instead Sleuth lite is designed to be left running and quietly sits down in the system tray. You surf in IE, when you need to analyze a page, you just bring it back up, attach it to the IE window you desire (like a debugger) and it is instantly hooked into everything that page contains.

  • Doc Analyzer -

    Similar to Sleuth Lite, except that it contains some extended functionality. Doc Analyzer is actually the predecessor of Sleuth Lite and has advancements that allow it to explore all of the frames of a document at once and edit any portion of any frame from the listview. Doc Analyzer is only available to Commercially Licensed users.

    With the tools that Sleuth provides, you really can dig into the depths of just about any web application and see what makes it tick. With all of the multiple ways provided, you should be able to get where you need to go, whether you started browsing a site in Sleuth, want to analyze some popup you think might be Malicious, of just want to check something offhand as you surf the web.

What are its limitations, what cant it do?

The sky’s pretty much the limit. It usually comes down to what the wielder can do with it.


Automated tools definitely have their place, Web Apps can just flat out be huge and automation is key, but they cannot be the only line of defense. There will inevitably be things they miss. Their analyzation logic can only be as smart as their designers have implemented, (and figure out how to properly implement).

My personal passion is figuring out how stuff works. So I needed a tool that would let me dig, research, learn and directly understand how it all works and what could be done. Sleuth is the result of that work.

Copyright 2000-2003 All Rights Reserved