[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] HTTP Proxy for thick clients
- From: "Joakim Sandström" <joakim@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] HTTP Proxy for thick clients
- Date: Tue, 28 Aug 2007 21:55:10 +0300
------=_Part_10190_15474197.1188327310937
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hi,
Use Fiddler2 to capture the traffic (version 2 eats the ssl without RPASpy)
and replay/change the traffic f.ex. with burps repeater? If you do this and
realize that the soap messages are enveloped using WSE 2.0 encryption and
manage to solve your task anyhow (without having access to source, lets say
its well obfuscated). please let us know =)
Br,
Joakim
On 8/28/07, Huan Chi <ktriv3di@msn.com> wrote:
>
> Thanks guys for the suggesstion. I tried doing this and for some reason
> the
> although Paros works for IE, it does not work for the thick client
> application.
>
> The thick client seems to send the traffic directly.
>
> Any other suggesstions?
>
>
> ----- Original Message -----
> From: "haroon meer" <haroon@sensepost.com>
> To: "Huan Chi" <ktriv3di@msn.com>
> Cc: <websecurity@webappsec.org>; <pen-test@securityfocus.com>
> Sent: Monday, August 27, 2007 11:30 PM
> Subject: Re: [WEB SECURITY] HTTP Proxy for thick clients
>
>
> > Hi Huan..
> >
> > Fortunately for you, a .Net application will make use of the proxy
> > configured on the system when making SOAP calls by default (because i
> > believe it is using an IE instance to handle the call).
> >
> > Simply set burp/paros as your proxy prior to starting up your
> > thick-application and it should work exactly as you planned..
> >
> > (if the app bails because of an incorrect SSL key, you might have to
> > decompile the binary to remove the cert check or may get away with
> > installing a new cert (with just the correct CN into paros/burp) - but
> > you can contact me off-list if this does happen)
> >
> > /mh
> >
> > * Huan Chi <ktriv3di@msn.com> [2007-08-27 19:32:26 -0700]:
> >
> >> List,
> >>
> >> I am testing a .NET thick client application using web services. I am
> >> looking for an HTTP/TCP Proxy tool like PAROS / BURP which I can use to
> >> see the change the traffic. The application does not have a way to set
> >> proxy setting so I cannot use paros / burp and then do proxy chaining.
> >> Also, everything on the tunnel is SSL, so ethereal is not much help
> >>
> >> Also, any good tools to edit XML / SOAP traffic
> >>
> >> Thanks for suggesstions in advance
> >>
> >>
> >>
> >>
> >>
> ----------------------------------------------------------------------------
> >> Join us on IRC: irc.freenode.net #webappsec
> >>
> >> Have a question? Search The Web Security Mailing List Archives:
> >> http://www.webappsec.org/lists/websecurity/
> >>
> >> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
> >> Feed]
> >>
> >>
> >>
> >> ** CRM114 Whitelisted by: Subject: [WEB SECURITY] **
> >
> > --
> > Haroon Meer, SensePost Information Security |
> > http://www.sensepost.com/blog/
> > PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637
> >
> >
> >
> > ** CRM114 Whitelisted by: From haroon@sensepost.com **
> >
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
------=_Part_10190_15474197.1188327310937
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hi,<br><br>Use Fiddler2 to capture the traffic (version 2 eats the ssl without RPASpy) and replay/change the traffic f.ex. with burps repeater? If you do this and realize that the soap messages are enveloped using WSE 2.0 encryption and manage to solve your task anyhow (without having access to source, lets say its well obfuscated). please let us know =)
<br><br>Br, <br> Joakim<br><br><div><span class="gmail_quote">On 8/28/07, <b class="gmail_sendername">Huan Chi</b> <<a href="mailto:ktriv3di@msn.com";>ktriv3di@msn.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Thanks guys for the suggesstion. I tried doing this and for some reason the<br>although Paros works for IE, it does not work for the thick client<br>application.<br><br>The thick client seems to send the traffic directly.
<br><br>Any other suggesstions?<br><br><br>----- Original Message -----<br>From: "haroon meer" <<a href="mailto:haroon@sensepost.com";>haroon@sensepost.com</a>><br>To: "Huan Chi" <<a href="mailto:ktriv3di@msn.com";>
ktriv3di@msn.com</a>><br>Cc: <<a href="mailto:websecurity@webappsec.org";>websecurity@webappsec.org</a>>; <<a href="mailto:pen-test@securityfocus.com";>pen-test@securityfocus.com</a>><br>Sent: Monday, August 27, 2007 11:30 PM
<br>Subject: Re: [WEB SECURITY] HTTP Proxy for thick clients<br><br><br>> Hi Huan..<br>><br>> Fortunately for you, a .Net application will make use of the proxy<br>> configured on the system when making SOAP calls by default (because i
<br>> believe it is using an IE instance to handle the call).<br>><br>> Simply set burp/paros as your proxy prior to starting up your<br>> thick-application and it should work exactly as you planned..<br>><br>
> (if the app bails because of an incorrect SSL key, you might have to<br>> decompile the binary to remove the cert check or may get away with<br>> installing a new cert (with just the correct CN into paros/burp) - but
<br>> you can contact me off-list if this does happen)<br>><br>> /mh<br>><br>> * Huan Chi <<a href="mailto:ktriv3di@msn.com";>ktriv3di@msn.com</a>> [2007-08-27 19:32:26 -0700]:<br>><br>>> List,
<br>>><br>>> I am testing a .NET thick client application using web services. I am<br>>> looking for an HTTP/TCP Proxy tool like PAROS / BURP which I can use to<br>>> see the change the traffic. The application does not have a way to set
<br>>> proxy setting so I cannot use paros / burp and then do proxy chaining.<br>>> Also, everything on the tunnel is SSL, so ethereal is not much help<br>>><br>>> Also, any good tools to edit XML / SOAP traffic
<br>>><br>>> Thanks for suggesstions in advance<br>>><br>>><br>>><br>>><br>>> ----------------------------------------------------------------------------<br>>> Join us on IRC:
<a href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec<br>>><br>>> Have a question? Search The Web Security Mailing List Archives:<br>>> <a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/
</a><br>>><br>>> Subscribe via RSS: <a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss</a> [RSS<br>>> Feed]<br>>><br>>><br>>><br>>> ** CRM114 Whitelisted by: Subject: [WEB SECURITY] **
<br>><br>> --<br>> Haroon Meer, SensePost Information Security |<br>> <a href="http://www.sensepost.com/blog/";>http://www.sensepost.com/blog/</a><br>> PGP: <a href="http://www.sensepost.com/pgp/haroon.txt";>
http://www.sensepost.com/pgp/haroon.txt</a> | Tel: +27 83786 6637<br>><br>><br>><br>> ** CRM114 Whitelisted by: From <a href="mailto:haroon@sensepost.com";>haroon@sensepost.com</a> **<br>><br><br><br>----------------------------------------------------------------------------
<br>Join us on IRC: <a href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/
</a><br><br>Subscribe via RSS:<br><a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br>
------=_Part_10190_15474197.1188327310937--
Brought to you by http://www.webappsec.org
Search this site
|