Penetration Testing mailing list archives
Re: WebScarab .NET SSL Error
From: Danux <danuxx () gmail com>
Date: Tue, 10 Jun 2008 13:18:24 -0500
Excellent, thanks. Just to mention, that for a rare case, i was not able to use WebScarab in the Web App, it gets Freeze, i mean, it stops responding, but while using FireBug i could avoid using a Web Proxy. Anyway, thanks for your excellent recommendations. Sincerely, On Tue, Jun 10, 2008 at 5:26 AM, Meenal Mukadam <meenal.mukadam () gmail com> wrote:
Hi Danux, This is a reply to your question :I am testing a .NET-SSL enabled web application, and i discovered a possible SQL Injection, then because of lack of space in the input field of the form, i start trying to use a Proxy like WebScarab or Acunetix, but after submit the request through this proxies the application stops responding and i am not able to inject any code. I think could be because of .NET certificate trust validation, if so? Do you know how to bypass this issue?The problem you are facing is 'lack of space' in i/p field. By capturing the POST conversation in WebScarab you can right click on that conversation and add to fuzzer template. You can tamper the parameters there and fuzz a list of attacks. If there is input validation done what you can do is go to proxy tab. In miscellaneous section tick on 'show hidden fields'. Refresh your page. Now u'll be able to see the hidden fields. Many a times in .NET 'max size' and other parameters are stored in hidden field on the same page. So when you enable 'View hidden fields' in WebScarab it'll help you to see those fields and modify the Field size. And about the Certificate trust validation, you will be warned in the start that certificate submitted is of WebScarab. So you can accept the request 'for this session only' and later the application shouldnt block you. Btw thank you for letting us know of an additional option and that being 'FireBug'. Thanks & Regards Meenal A. Mukadam On Tue, Jun 10, 2008 at 10:08 AM, Secure Scorp <securescorp () gmail com> wrote:---------- Forwarded message ---------- From: kevin horvath <kevin.horvath () gmail com> Date: Thu, Jun 5, 2008 at 12:37 AM Subject: Re: WebScarab .NET SSL Error To: Danux <danuxx () gmail com> Cc: Maxime Ducharme <mducharme () cybergeneration com>, pen-test () securityfocus com if your referring to updating the content-length header when you change the get or post request in transit then burp proxy with automatically do it for you also. Additionally it has alot of other very useful tools built into it such as a fuzzer, cookie analysis etc.... Kevin On Wed, Jun 4, 2008 at 1:46 PM, Danux <danuxx () gmail com> wrote:Thanks to all, Well, i resolve it using the excellent extension of Firefox call Firebug which updates de form elements on the fly, like maxlength. its excellent, because in this case as i told you i was not able to use a proxy like webscarab or acunetix nor able to create my own page and just submit the form to the cgi, but with firebug the WebSite does not know the page was altered because the change was on the client side through java script. Thanks to all once again. On Tue, Jun 3, 2008 at 10:31 AM, Maxime Ducharme <mducharme () cybergeneration com> wrote:Hi Danux I suggest that you try this Firefox extension : - TamperData : http://tamperdata.mozdev.org/ Another interesting I didn't tried yet : https://addons.mozilla.org/en-US/firefox/addon/2691 HTH Maxime -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Danux Envoyé : 30 mai 2008 05:37 À : pen-test () securityfocus com Objet : WebScarab .NET SSL Error Hi Friends, I am testing a .NET-SSL enabled web application, and i discovered a possible SQL Injection, then because of lack of space in the input field of the form, i start trying to use a Proxy like WebScarab or Acunetix, but after submit the request through this proxies the application stops responding and i am not able to inject any code. I think could be because of .NET certificate trust validation, if so? Do you know how to bypass this issue? Have you ever been able to test an https .NET application through a Proxy? Thanks in Advanced. -- Danux ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar -------------------------------------------------------------------------- Danux, CISSP, OSCP, ISO27001 Offensive Security Consultant Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar -------------------------------------------------------------------------- Meenal A. Mukadam ------------------------------------------------------------- Far away there in the sunshine are my highest aspirations. I may/maynot reach them, but I can look up and see their beauty, believe in them and try to follow where they lead -------------------------------------------------------------
-- Danux, CISSP, OSCP, ISO27001 Offensive Security Consultant Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: WebScarab .NET SSL Error Zed Qyves (Jun 02)
- <Possible follow-ups>
- RE: WebScarab .NET SSL Error Maxime Ducharme (Jun 03)
- Re: WebScarab .NET SSL Error Danux (Jun 04)
- Re: WebScarab .NET SSL Error kevin horvath (Jun 04)
- Message not available
- Message not available
- Re: WebScarab .NET SSL Error Danux (Jun 10)
- Re: WebScarab .NET SSL Error Danux (Jun 04)