Security Basics mailing list archives

Re: testing webapp - socks and http proxy question

From: learn lids <learnlids () yahoo com>
Date: Wed, 14 Jan 2009 18:43:35 -0800 (PST)

natron, afaik netcat proxying does not work with the -l switch. is there a different version that allows you to do 
that? 

what i did was : nc -l -p4000 -X5 -x10.b.c.d:1080

-learnlids


--- On Fri, 1/9/09, natron <natron () invisibledenizen org> wrote:

From: natron <natron () invisibledenizen org>
Subject: Re: testing webapp - socks and http proxy question
To: "Rogan Dawes" <lists () dawes za net>
Cc: learnlids () yahoo com, pen-test () securityfocus com, webappsec () securityfocus com, security-basics () 
securityfocus com
Date: Friday, January 9, 2009, 11:09 AM
I think I've solved this problem in the past by using
proxy
'conversion' tools that will convert from one proxy
type to another.
It's been a while so I can't remember which tool I
used, but I think
socat or maybe ncat will do what you need.  You configure
*cat to
listen on (e.g.) port 1234 as an HTTP proxy server, and
chain it to
the socks proxy server.

On Fri, Jan 9, 2009 at 3:39 AM, Rogan Dawes
<lists () dawes za net> wrote:

learn lids wrote:

hello everybody,

moderators : sorry about the cross-post, but i

thoght this question

is relevant to all these 3 lists.

i am trying to test a web app which is accessible

by only a socks

proxy. so i want to redirect the http traffic

through the socks proxy

to access th webapp. the setup is:

browser {OUT 127.0.0.1:8080} ---> burp proxy

--> socks proxy to

webapp

i am not sure how to make burp talk to the socks

proxy. i used

proxychains but i am not able to make it work.

any suggestions are much appreciated. any other

alternate methods

would be nice.

thank you, learner


The work-in-progress OWASP Proxy library (and sample

app) supports

upstream and downstream SOCKS proxies. i.e. it can act

as a SOCKS proxy,

and it can connect through an upstream SOCKS proxy. It

can also act as a

regular HTTP proxy, allowing:

[browser] --(HTTP Proxy)--> [burp] --(HTTP

Proxy)--> [OWASP Proxy]

--(SOCKS)--> [socks proxy]--> [server]

This is probably not ideal, though.

You *may* be able to convince burp to use an upstream

SOCKS proxy by

setting the appropriate Java environment variables.

See:

<http://java.sun.com/javase/6/docs/technotes/guides/net/proxies.html>


I don't think that this supports authentication to

the upstream SOCKS

Proxy, though. If you need upstream authentication,

you may need to hack

something together using JSOCKS, for example.

Rogan

Current thread:

Re: testing webapp - socks and http proxy question learn lids (Jan 15)
- <Possible follow-ups>
- Re: testing webapp - socks and http proxy question K (Jan 15)
- Re: testing webapp - socks and http proxy question learn lids (Jan 15)
- Re: testing webapp - socks and http proxy question learn lids (Jan 15)
  - Re: testing webapp - socks and http proxy question jack . a . mannino (Jan 15)
- Re: testing webapp - socks and http proxy question K (Jan 15)