Penetration Testing mailing list archives
Re: [WEB SECURITY] HTTP Proxy for thick clients
From: haroon meer <haroon () sensepost com>
Date: Tue, 28 Aug 2007 20:59:38 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi.. Make sure that you restart the application after changing your proxy settings.. If this (or the other suggestions) dont work, check out the outstandingly useful echomirage from bindshell.net /mh * Huan Chi <ktriv3di () msn com> [2007-08-28 11:38:06 -0700]:
Thanks guys for the suggesstion. I tried doing this and for some reason the although Paros works for IE, it does not work for the thick client application. The thick client seems to send the traffic directly. Any other suggesstions? ----- Original Message ----- From: "haroon meer" <haroon () sensepost com> To: "Huan Chi" <ktriv3di () msn com> Cc: <websecurity () webappsec org>; <pen-test () securityfocus com> Sent: Monday, August 27, 2007 11:30 PM Subject: Re: [WEB SECURITY] HTTP Proxy for thick clientsHi Huan.. Fortunately for you, a .Net application will make use of the proxy configured on the system when making SOAP calls by default (because i believe it is using an IE instance to handle the call). Simply set burp/paros as your proxy prior to starting up your thick-application and it should work exactly as you planned.. (if the app bails because of an incorrect SSL key, you might have to decompile the binary to remove the cert check or may get away with installing a new cert (with just the correct CN into paros/burp) - but you can contact me off-list if this does happen) /mh * Huan Chi <ktriv3di () msn com> [2007-08-27 19:32:26 -0700]:List, I am testing a .NET thick client application using web services. I am looking for an HTTP/TCP Proxy tool like PAROS / BURP which I can use to see the change the traffic. The application does not have a way to set proxy setting so I cannot use paros / burp and then do proxy chaining. Also, everything on the tunnel is SSL, so ethereal is not much help Also, any good tools to edit XML / SOAP traffic Thanks for suggesstions in advance ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ** CRM114 Whitelisted by: Subject: [WEB SECURITY] **-- Haroon Meer, SensePost Information Security | http://www.sensepost.com/blog/ PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637 ** CRM114 Whitelisted by: From haroon () sensepost com **** CRM114 Whitelisted by: From: "haroon meer" <haroon () sensepost com **
- -- Haroon Meer, SensePost Information Security | http://www.sensepost.com/blog/ PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFG1HCZjc6KZkVo+wYRAlz4AJ9qRZPB0ZZ3Z8ie/DeK/nk/XwHT+QCeI6il LBTcEpsH/vFZvuOpFKtveJA= =zzaq -----END PGP SIGNATURE----- ** CRM114 Whitelisted by: From haroon () sensepost com ** ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- XSS interrogations Jeremy Saintot (Aug 22)
- Re: XSS interrogations Paul Sebastian Ziegler (Aug 22)
- <Possible follow-ups>
- Re: XSS interrogations Jon Xmas (Aug 23)
- HTTP Proxy for thick clients Huan Chi (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients haroon meer (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients Huan Chi (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients haroon meer (Aug 28)
- HTTP Proxy for thick clients Huan Chi (Aug 28)
- RE: [WEB SECURITY] HTTP Proxy for thick clients Ofer Shezaf (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients bugtraq (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients charlie derr (Aug 28)
- Re: HTTP Proxy for thick clients Jeffory Atkinson (Aug 28)
- Re: HTTP Proxy for thick clients rajat swarup (Aug 29)