RE: [WEB SECURITY] HTTP Proxy for thick clients

["Ofer Shezaf" <OferS () Breach com>]

Hi Huan,

If you can set the host name or server IP you can use a proxy that can act 
as a reverse proxy, for example WebScarab (I don't know if Paros or Burp can).

If the application uses a host name that is embedded in the code, you could still use a reverse proxy by editing your 
hosts file to point this name to the local machine.

I'm not aware of any transparent reverse proxy that can change traffic.

One caveat might be SSL usage. Whether using a reverse proxy would work or not depends on the level of certificate 
validation done. For sure client side certificates would make using a reverse proxy impossible. Server side 
certificates might work if the application is not fuzzy about them.

~ Ofer Shezaf
ofers () breach com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119
CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set Project;



> -----Original Message-----
> From: Huan Chi [mailto:ktriv3di () msn com]
> Sent: Tuesday, August 28, 2007 5:32 AM
> To: websecurity () webappsec org
> Cc: pen-test () securityfocus com
> Subject: [WEB SECURITY] HTTP Proxy for thick clients
>
> List,
>
> I am testing a .NET thick client application using web services. I am
> looking for an HTTP/TCP Proxy tool like PAROS / BURP which I can use to
> see
> the change the traffic. The application does not have a way to set
> proxy
> setting so I cannot use paros / burp and then do proxy chaining. Also,
> everything on the tunnel is SSL, so ethereal is not much help
>
> Also, any good tools to edit XML / SOAP traffic
>
> Thanks for suggesstions in advance
>
>
>
>
> -----------------------------------------------------------------------
> -----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]