Penetration Testing mailing list archives
Re: testing webapp - socks and http proxy question
From: learn lids <learnlids () yahoo com>
Date: Wed, 14 Jan 2009 18:37:25 -0800 (PST)
hi ken, thanks for the suggestion @ burp, i downloaded the new version, but i was getting an error. the webapp http://myinsecurewebapp.com redirects to https://myinsecurewebapp.com . i intercepted the traffic in burp, and saw this alert: "javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake". at the same time, what i see in my browser window is : "Burp proxy error: No response received from remote server" i think the error is due to burp using its own cert? any suggestions on resolving this error are appreciated. thanks, LL --- On Sat, 1/10/09, K <rusty_johnson2 () yahoo com> wrote:
From: K <rusty_johnson2 () yahoo com> Subject: Re: testing webapp - socks and http proxy question To: "Rogan Dawes" <lists () dawes za net> Cc: "learnlids () yahoo com" <learnlids () yahoo com>, "pen-test () securityfocus com" <pen-test () securityfocus com>, "webappsec () securityfocus com" <webappsec () securityfocus com>, "security-basics () securityfocus com" <security-basics () securityfocus com> Date: Saturday, January 10, 2009, 6:57 AM Burp comms tab, set burp to use proxy. The socks proxy is your choice. Ken On Jan 9, 2009, at 4:39 AM, Rogan Dawes <lists () dawes za net> wrote: learn lids wrote: hello everybody, moderators : sorry about the cross-post, but i thoght this question is relevant to all these 3 lists. i am trying to test a web app which is accessible by only a socks proxy. so i want to redirect the http traffic through the socks proxy to access th webapp. the setup is: browser {OUT 127.0.0.1:8080} ---> burp proxy --> socks proxy to webapp i am not sure how to make burp talk to the socks proxy. i used proxychains but i am not able to make it work. any suggestions are much appreciated. any other alternate methods would be nice. thank you, learner The work-in-progress OWASP Proxy library (and sample app) supports upstream and downstream SOCKS proxies. i.e. it can act as a SOCKS proxy, and it can connect through an upstream SOCKS proxy. It can also act as a regular HTTP proxy, allowing: [browser] --(HTTP Proxy)--> [burp] --(HTTP Proxy)--> [OWASP Proxy] --(SOCKS)--> [socks proxy]--> [server] This is probably not ideal, though. You *may* be able to convince burp to use an upstream SOCKS proxy by setting the appropriate Java environment variables. See: <http://java.sun.com/javase/6/docs/technotes/guides/net/proxies.html> I don't think that this supports authentication to the upstream SOCKS Proxy, though. If you need upstream authentication, you may need to hack something together using JSOCKS, for example. Rogan ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- testing webapp - socks and http proxy question learn lids (Jan 09)
- RE: testing webapp - socks and http proxy question Amardeep Singh (Jan 09)
- Re: testing webapp - socks and http proxy question Rogan Dawes (Jan 09)
- Re: testing webapp - socks and http proxy question natron (Jan 09)
- <Possible follow-ups>
- testing webapp - socks and http proxy question Amardeep Singh (Jan 09)
- Re: testing webapp - socks and http proxy question learn lids (Jan 15)