Dailydave mailing list archives
WCF SSL Validation
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 05 Mar 2008 08:39:00 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I'm doing an application assessment of a .Net 3.0 app that uses WCF a lot. I learned a lot of random things about Windows while reading up for it - they put http.sys into XP SP2, for example. I didn't realize that had gotten back-ported. Also the WCF .Net API does not treat certificates the same way that IE7 does. You can have a certificate imported into IE and then browse nicely through SPIKE Proxy but still have WCF requests fail with SSL validation errors. This is a pain but there's no way to bypass it that I can figure out. Today the plan is to bypass the need for SSL MITM by using Immunity Debugger to hook the http request API and modify it on the fly the way JMS usually does. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzqJ0tehAhL0gheoRAiTQAJ96S0kv0OG0GOu8RuDiBjX3UveqRQCeL25W 67e1M7T+GdnrCeUlTDmlFD8= =aLCb -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- WCF SSL Validation Dave Aitel (Mar 05)
- Re: WCF SSL Validation Rodney Thayer (Mar 05)