[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] HTTP Proxy for thick clients

From: Rogan Dawes <discard@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] HTTP Proxy for thick clients
Date: Wed, 29 Aug 2007 09:18:29 +0200

Huan Chi wrote:

Thanks guys for the suggesstion. I tried doing this and for some reason the although Paros works for IE, it does not work for the thick client application.
The thick client seems to send the traffic directly.
Any other suggesstions?

As suggested by Ofer, you can use WebScarab in reverse proxy mode. It was designed for exactly this case.

On the Proxy->Listeners tab, create a new listener on the port that your application is expecting to connect to (e.g. 443), specify a "base" parameter similar to "https://<the.IP.of.the.real.server>:443/".

When the thick client connects to WebScarab, and successfully negotiates an SSL connection (more later), it will send something like

GET /path/whatever HTTP/1.1

WebScarab then takes the "base" parameter and prepends it to the path to get something like:

GET https://<the.IP.of.the.real.server>:443/path/whatever/ HTTP/1.0

This is effectively translated into the same syntax/protocol as a regular proxy request, and will be treated as such by WebScarab. i.e. you can intercept, modify, etc just as you would any other (normal) proxy traffic.

Then all you need to do is use a /etc/hosts entry to make the machine that is running the thick client resolve the destination address to the machine that is running WebScarab. If the app and WebScarab are running on different machines, make sure that WebScarab is not only listening on localhost. Specify "*" for the interface parameter. If it is blank, it defaults to localhost only.

The only tricky part will be making sure that the client accepts the WebScarab certificate when negotiating the SSL connection. Obviously, if it doesn't complain, you have an immediate finding.

You may need to add the WebScarab certificate to your IE trusted certificates store. Alternatively, if you have access to the legitimate SSL cert for the target server, you can rebuild the WebScarab jar with that certificate in place of the existing server.p12 file (sorry there is not an easy way to do this).

One poster suggested that if the app is using client certs to authenticate the app, that you are out of luck. Not so - WebScarab can use client certs, even from a Smart Card. Just configure WebScarab to use the client cert, and the server will not be able to tell that it is not the thick client doing the authentication.

Good luck, and send mail to owasp-webscarab@xxxxxxxxxxxxxxx if you have any more questions.

Rogan

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] HTTP Proxy for thick clients
  - From: Huan Chi
- Re: [WEB SECURITY] HTTP Proxy for thick clients
  - From: haroon meer
- Re: [WEB SECURITY] HTTP Proxy for thick clients
  - From: Huan Chi

Prev by Date: Re: [WEB SECURITY] HTTP Proxy for thick clients
Next by Date: Re: [WEB SECURITY] Why JSON/JavaScript hijacking only works on Mozilla
Previous by thread: Re: [WEB SECURITY] HTTP Proxy for thick clients
Next by thread: RE: [WEB SECURITY] HTTP Proxy for thick clients
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site