Penetration Testing mailing list archives

RE: HTTPS Web site testing

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Fri, 16 May 2003 08:04:04 +0200

Exodus will allow you to do this quite easily.

You can either modify an intercepted request, or generate one manually, by
using the "manual request" tab.

Simply type in the request using the full hostname and protocol, and press
submit. Exodus will automatically calculate your content-length  for you,
just to simplify things a bit, and return the server's response.

E.g.

POST https://vulnerable.site/path/app.asp HTTP/1.0
Header: value
Content-Length: 0   <-- doesn't matter, will be recalculated

var1=val1&var2=val2

You can get Exodus at http://mysite.mweb.co.za/residents/rdawes/exodus.html

Rogan

-----Original Message-----
From: Robert Smith [mailto:smithr () IAFACILITY com] 
Sent: 15 May 2003 07:31 PM
To: 'Pen-Test () securityfocus com'
Subject: HTTPS Web site testing


I apologize if this is a simple question. 
I am testing a HTTPS web site for a vulnerability and need to do a "POST
/blah.html /etc...." command and get the results back. 
I have tried using IE with Achilles, but IE prepends a GET before the POST
which invalidates the result. Opera works the same.
Is there a way to do this through Achilles or another proxy or any other
method so I can examine the web page output?


R Smith

---------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-pen-test
----------------------------------------------------------------------------

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
that must be accessed and read by clicking here or by copying and pasting the following address into your Internet 
browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this 
email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access 
the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.

---------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-pen-test
----------------------------------------------------------------------------

Current thread:

HTTPS Web site testing Robert Smith (May 15)
- Re: HTTPS Web site testing christopher downs (May 15)
- Re: HTTPS Web site testing Edstrom Johan (May 15)
- Re: HTTPS Web site testing Pablo Sisca (May 15)
- Re: HTTPS Web site testing Alexandre Carmel-Veilleux (May 15)
- Re: HTTPS Web site testing JC (May 16)
- <Possible follow-ups>
- Re: HTTPS Web site testing Robert Smith (May 15)
- RE: HTTPS Web site testing Gilbert, Austin (May 16)
- RE: HTTPS Web site testing Dawes, Rogan (ZA - Johannesburg) (May 16)
- RE: HTTPS Web site testing Michael Tsentsarevsky (May 18)