Penetration Testing mailing list archives
Re: [PEN-TEST] Scanning Web Proxy -- Preliminary Concept
From: vort-fu <vort () WIRETAPPED NET>
Date: Fri, 15 Dec 2000 12:05:52 +1100
http://www.stoev.org/proxy/preliminary-concept.htmlMy biggest criticism is that you state that "the proxy server should be able to do additional HTTP requests on its own."
Not having the proxy server use it's own requests kind of defeats having this proxy server in the first place. It's aim is to find security vulnerabilities in servers, and by and large would not be placed as a production server, more of a development server or an internal server used when auditing a server. Disabling this option would only report half of any vulnerabilities found, most likely returning false positives. Again, defeating its purpose.
Imagine if this feature kicked in while you were at a share trading site such as http://www.comsec.com.au. I dunno about you, but I'd be pretty pissed if this proxy went and submitted half a dozen variations of the shares I just purchased.
from http://www.stoev.org/proxy/preliminary-concept.html "The purpose of the scanning web proxy is to analyze all HTTP request-reply pairs that pass through it for the purpose of finding security vulnerabilities in the web sites being visited (e.g. weak cookies, plain-text passwords, etc.)" When browsing servers which pass sensitive information between the client and the server, one would assume that the connections are all done over ssl, and thus either you should not use this proxy to handle it, not use any proxies to handle it, or not have the proxy be able to replicate your ssl session. Either way, this proxy should not be used in a production environment where network auditing is not the issue. vortfu vort () wiretapped net
Current thread:
- [PEN-TEST] Scanning Web Proxy -- Preliminary Concept Philip Stoev (Dec 15)
- Re: [PEN-TEST] Scanning Web Proxy -- Preliminary Concept Glenn Williamson (Dec 15)
- Re: [PEN-TEST] Scanning Web Proxy -- Preliminary Concept Alex Butcher (Dec 16)
- Re: [PEN-TEST] Scanning Web Proxy -- Preliminary Concept Philip Stoev (Dec 16)
- <Possible follow-ups>
- Re: [PEN-TEST] Scanning Web Proxy -- Preliminary Concept vort-fu (Dec 15)