Penetration Testing mailing list archives
RE: [WEB SECURITY] HTTP Proxy for thick clients
From: "Ofer Shezaf" <OferS () Breach com>
Date: Tue, 28 Aug 2007 10:24:35 -0400
Hi Huan, If you can set the host name or server IP you can use a proxy that can act as a reverse proxy, for example WebScarab (I don't know if Paros or Burp can). If the application uses a host name that is embedded in the code, you could still use a reverse proxy by editing your hosts file to point this name to the local machine. I'm not aware of any transparent reverse proxy that can change traffic. One caveat might be SSL usage. Whether using a reverse proxy would work or not depends on the level of certificate validation done. For sure client side certificates would make using a reverse proxy impossible. Server side certificates might work if the application is not fuzzy about them. ~ Ofer Shezaf ofers () breach com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119 CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set Project;
-----Original Message----- From: Huan Chi [mailto:ktriv3di () msn com] Sent: Tuesday, August 28, 2007 5:32 AM To: websecurity () webappsec org Cc: pen-test () securityfocus com Subject: [WEB SECURITY] HTTP Proxy for thick clients List, I am testing a .NET thick client application using web services. I am looking for an HTTP/TCP Proxy tool like PAROS / BURP which I can use to see the change the traffic. The application does not have a way to set proxy setting so I cannot use paros / burp and then do proxy chaining. Also, everything on the tunnel is SSL, so ethereal is not much help Also, any good tools to edit XML / SOAP traffic Thanks for suggesstions in advance ----------------------------------------------------------------------- ----- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Current thread:
- XSS interrogations Jeremy Saintot (Aug 22)
- Re: XSS interrogations Paul Sebastian Ziegler (Aug 22)
- <Possible follow-ups>
- Re: XSS interrogations Jon Xmas (Aug 23)
- HTTP Proxy for thick clients Huan Chi (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients haroon meer (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients Huan Chi (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients haroon meer (Aug 28)
- HTTP Proxy for thick clients Huan Chi (Aug 28)
- RE: [WEB SECURITY] HTTP Proxy for thick clients Ofer Shezaf (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients bugtraq (Aug 28)
- Re: [WEB SECURITY] HTTP Proxy for thick clients charlie derr (Aug 28)
- Re: HTTP Proxy for thick clients Jeffory Atkinson (Aug 28)
- Re: HTTP Proxy for thick clients rajat swarup (Aug 29)