Vulnerability Development: RE: xml over https

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

RE: xml over https

From: "Burke, Charles" <Charles_Burke () HomeDepot com>
Date: Mon, 7 Feb 2005 09:08:19 -0500

This web services was not using WS Security was it?
I am assuming the xml encryption was custom or was it provided by WSE?

-----Original Message-----
From: Mads Rasmussen [mailto:mads () opencs com br] 
Sent: Friday, February 04, 2005 7:33 AM
To: vuln-dev () securityfocus com
Subject: Re: xml over https

Actually it turned out to be way much simpler than I thought, the 
application sends text files between server and client, formatted in
XML. Some of the fields are encrypted with 3des but the key was
hardcoded and 
I managed to write a tiny program to decrypt the xml fields using their 
own dll without specifying the key ;-)

The application communicates through https with a portal vulnerable to 
sql injection. I haven't been able to find a login that suits but I have

mapped almost the whole DB using different queries.
If anyone know a nice guide to sql injection for SQL server (MS) I would

appreciate it

Regards,

Mads

By Date By Thread

Current thread:

xml over https Mads Rasmussen (Feb 02)
- <Possible follow-ups>
- RE: xml over https Butler, Theodore (Feb 05)
  - Re: xml over https Mads Rasmussen (Feb 05)
- Re: xml over https Barnett E. Kurtz (Feb 07)
- RE: xml over https Burke, Charles (Feb 07)
  - Re: xml over https Mads Rasmussen (Feb 11)