Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WebScarab .NET SSL Error

From: Danux <danuxx () gmail com>
Date: Tue, 10 Jun 2008 13:18:24 -0500
Excellent, thanks.

Just to mention, that for a rare case, i was not able to use WebScarab
in the Web App, it gets Freeze, i mean, it stops responding,  but
while using FireBug i could avoid using a Web Proxy.
Anyway, thanks for your excellent recommendations.

Sincerely,

On Tue, Jun 10, 2008 at 5:26 AM, Meenal Mukadam
<meenal.mukadam () gmail com> wrote:


Hi Danux,

This is a reply to your question :

I  am testing a .NET-SSL enabled web application, and i discovered a
possible SQL Injection, then because of lack of space in the input
field of the form, i start trying to use a Proxy like WebScarab or
Acunetix, but after submit the request through this proxies the
application stops responding  and i am not able to inject any code.
I think could be because of .NET certificate trust validation, if so?
Do you know how to bypass this issue?


The problem you are facing is 'lack of space' in i/p field. By capturing the
POST conversation in WebScarab you can right click on that conversation and
add to fuzzer template. You can tamper the parameters there and fuzz a list
of attacks.

If there is input validation done what you can do is go to proxy tab. In
miscellaneous section tick on 'show hidden fields'. Refresh your page. Now
u'll be able to see the hidden fields. Many a times in .NET 'max size' and
other parameters are stored in hidden field on the same page. So when you
enable 'View hidden fields' in WebScarab it'll help you to see those fields
and modify the Field size.

And about the Certificate trust validation, you will be warned in the start
that certificate submitted is of WebScarab. So you can accept the request
'for this session only' and later the application shouldnt block you.

Btw thank you for letting us know of an additional option and that being
'FireBug'.


Thanks & Regards

Meenal A. Mukadam



On Tue, Jun 10, 2008 at 10:08 AM, Secure Scorp <securescorp () gmail com>
wrote:



---------- Forwarded message ----------
From: kevin horvath <kevin.horvath () gmail com>
Date: Thu, Jun 5, 2008 at 12:37 AM
Subject: Re: WebScarab .NET SSL Error
To: Danux <danuxx () gmail com>
Cc: Maxime Ducharme <mducharme () cybergeneration com>,
pen-test () securityfocus com


if your referring to updating the content-length header when you
change the get or post request in transit then burp proxy with
automatically do it for you also.  Additionally it has alot of other
very useful tools built into it such as a fuzzer, cookie analysis
etc....

Kevin

On Wed, Jun 4, 2008 at 1:46 PM, Danux <danuxx () gmail com> wrote:

Thanks to all,

Well, i resolve it using the excellent extension of Firefox call
Firebug which updates de form elements on the fly, like maxlength.
its excellent, because in this case as i told you i was not able to
use a proxy like webscarab or acunetix nor able to create my own page
and just submit the form to the cgi, but with firebug the WebSite does
not know the page was altered because the change was on the client
side through java script.

Thanks to all once again.

On Tue, Jun 3, 2008 at 10:31 AM, Maxime Ducharme
<mducharme () cybergeneration com> wrote:



Hi Danux

I suggest that you try this Firefox extension :

- TamperData : http://tamperdata.mozdev.org/

Another interesting I didn't tried yet :
https://addons.mozilla.org/en-US/firefox/addon/2691

HTH

Maxime



-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com]
De
la part de Danux
Envoyé : 30 mai 2008 05:37
À : pen-test () securityfocus com
Objet : WebScarab .NET SSL Error

Hi Friends,

I  am testing a .NET-SSL enabled web application, and i discovered a
possible SQL Injection, then because of lack of space in the input
field of the form, i start trying to use a Proxy like WebScarab or
Acunetix, but after submit the request through this proxies the
application stops responding  and i am not able to inject any code.
I think could be because of .NET certificate trust validation, if so?
Do you know how to bypass this issue?

Have you ever been able to test an https .NET application through a
Proxy?

Thanks in Advanced.

--
Danux


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar

------------------------------------------------------------------------








--
Danux, CISSP, OSCP, ISO27001
Offensive Security Consultant
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------








--
Meenal A. Mukadam

-------------------------------------------------------------
Far away there in the sunshine
are my highest aspirations.
I may/maynot reach them,
but I can look up and see their beauty,
believe in them and try to follow
where they lead
-------------------------------------------------------------




-- 
Danux, CISSP, OSCP, ISO27001
Offensive Security Consultant
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: