Re: testing webapp - socks and http proxy question

[learn lids <learnlids () yahoo com>]

hi ken,

thanks for the suggestion @ burp, i downloaded the new version, but i was getting an error. 

the webapp http://myinsecurewebapp.com redirects to https://myinsecurewebapp.com . i intercepted the traffic in burp, 
and saw this alert: 
"javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake". at the same time, what i see in 
my browser window is : "Burp proxy error: No response received from remote server"

i think the error is due to burp using its own cert? any suggestions on resolving this error are appreciated. 

thanks,
LL

--- On Sat, 1/10/09, K <rusty_johnson2 () yahoo com> wrote:

> From: K <rusty_johnson2 () yahoo com>
> Subject: Re: testing webapp - socks and http proxy question
> To: "Rogan Dawes" <lists () dawes za net>
> Cc: "learnlids () yahoo com" <learnlids () yahoo com>, "pen-test () securityfocus com" <pen-test () securityfocus 
> com>, "webappsec () securityfocus com" <webappsec () securityfocus com>, "security-basics () securityfocus com" 
> <security-basics () securityfocus com>
> Date: Saturday, January 10, 2009, 6:57 AM
> Burp comms tab, set burp to use proxy. The socks proxy is
> your choice.
>
> Ken
>
> On Jan 9, 2009, at 4:39 AM, Rogan Dawes
> <lists () dawes za net> wrote:
>
> learn lids wrote:
> hello everybody,
>
> moderators : sorry about the cross-post, but i thoght this
> question
> is relevant to all these 3 lists.
>
> i am trying to test a web app which is accessible by only a
> socks
> proxy. so i want to redirect the http traffic through the
> socks proxy
> to access th webapp. the setup is:
>
> browser {OUT 127.0.0.1:8080} ---> burp proxy -->
> socks proxy to
> webapp
>
> i am not sure how to make burp talk to the socks proxy. i
> used
> proxychains but i am not able to make it work.
>
> any suggestions are much appreciated. any other alternate
> methods
> would be nice.
>
> thank you, learner
>
> The work-in-progress OWASP Proxy library (and sample app)
> supports
> upstream and downstream SOCKS proxies. i.e. it can act as a
> SOCKS proxy,
> and it can connect through an upstream SOCKS proxy. It can
> also act as a
> regular HTTP proxy, allowing:
>
> [browser] --(HTTP Proxy)--> [burp] --(HTTP Proxy)-->
> [OWASP Proxy]
> --(SOCKS)--> [socks proxy]--> [server]
>
> This is probably not ideal, though.
>
> You *may* be able to convince burp to use an upstream SOCKS
> proxy by
> setting the appropriate Java environment variables. See:
>
> <http://java.sun.com/javase/6/docs/technotes/guides/net/proxies.html>
>
> I don't think that this supports authentication to the
> upstream SOCKS
> Proxy, though. If you need upstream authentication, you may
> need to hack
> something together using JSOCKS, for example.
>
> Rogan
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire 
> Methodologies & Tools for Web Application Security
> Assessment 
> With the rapid rise in the number and types of security
> threats, web application security assessments should be
> considered a crucial phase in the development of any web
> application. What methodology should be followed? What tools
> can accelerate the assessment process? Download this
> Whitepaper today! 
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>
>
>
>       
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire 
> Methodologies & Tools for Web Application Security
> Assessment 
> With the rapid rise in the number and types of security
> threats, web application security assessments should be
> considered a crucial phase in the development of any web
> application. What methodology should be followed? What tools
> can accelerate the assessment process? Download this
> Whitepaper today! 
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------