Penetration Testing mailing list archives
[PEN-TEST] Scanning through SSL proxies.
From: "van Eeden, Stieler" <veedest () EY CO ZA>
Date: Fri, 8 Sep 2000 09:24:01 +0200
Since everybody is starting to realise that SSL is a more secure protocol than HTTP ..heh.. A lot of clients is running SSL based webservers. Unfortunately most make the mistake by thinking if they implement SSL they are secure and cant be hacked. But they are actually just secured from sniffing etc. and then dont bother to harden the OS or review their cgi scripts. The attacks can still be automated through a SSL proxy. Go and check you could still be vulnerable to RDS :P Up to now I've done all the checks manually, damn it takes long! In the whisker documentation RFP says that it is possible to use an SSL proxy. I quote from his documentation ( http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2 ) "<> SSL support is officially to be had by using sslproxy by Christian Starkjohann <cs () obdev at>, at http://www.obdev.at/Products/. It runs on both Win and Unix, so life is good. Copies are available from my site just in case you can't find them. RTFM for usage." I also noted that a few paragraphes before that he stated - "<> Proxy support has been removed until version v2.0. The previous proxy commandline options have been re-used into other v1.4 features." I assume he is talking about normal proxy support. I had a look at SSLproxy and had a few problems to get it to work in Linux, I could be missing a few Libs. I have OpenSSH and OpenSSL installed. ;/ Apparently there is a win32 port of sslproxy, the link to the win32 port is dead.:( Anyone got a copy ? Have anybody got this to work successfully ? I need some help, please give me some light ! Is there any other SSL Proxies that can be used to simulate webscan's ? Up to now whisker look like the only worth while tool with ssl proxy support for the job. Thanx! //Stieler van Eeden WARNING: this e-mail contains confidential information and any unauthorised use or interception is illegal. If this e-mail is not intended for you, you may not copy, distribute or disclose the contents to anyone nor take any action in reliance on the content. If you receive this in error, please contact the sender and delete the material from any computer
Current thread:
- [PEN-TEST] Scanning through SSL proxies. van Eeden, Stieler (Sep 08)
- <Possible follow-ups>
- Re: [PEN-TEST] Scanning through SSL proxies. Chris Romeo (Sep 08)
- Re: [PEN-TEST] Scanning through SSL proxies. matt lind (Sep 18)
- Re: [PEN-TEST] Scanning through SSL proxies. Mordechai Ovits (Sep 18)