WebApp Sec: Re: testing webapp - socks and http proxy question

[learn lids <learnlids () yahoo com>]

natron, afaik netcat proxying does not work with the -l switch. is there a different version that allows you to do 
that? 

what i did was : nc -l -p4000 -X5 -x10.b.c.d:1080

-learnlids


--- On Fri, 1/9/09, natron <natron () invisibledenizen org> wrote:

> From: natron <natron () invisibledenizen org>
> Subject: Re: testing webapp - socks and http proxy question
> To: "Rogan Dawes" <lists () dawes za net>
> Cc: learnlids () yahoo com, pen-test () securityfocus com, webappsec () securityfocus com, security-basics () 
> securityfocus com
> Date: Friday, January 9, 2009, 11:09 AM
> I think I've solved this problem in the past by using
> proxy
> 'conversion' tools that will convert from one proxy
> type to another.
> It's been a while so I can't remember which tool I
> used, but I think
> socat or maybe ncat will do what you need.  You configure
> *cat to
> listen on (e.g.) port 1234 as an HTTP proxy server, and
> chain it to
> the socks proxy server.
>
> On Fri, Jan 9, 2009 at 3:39 AM, Rogan Dawes
> <lists () dawes za net> wrote:
> > learn lids wrote:
> > > hello everybody,
> > >
> > > moderators : sorry about the cross-post, but i
> thoght this question
> > > is relevant to all these 3 lists.
> > >
> > > i am trying to test a web app which is accessible
> by only a socks
> > > proxy. so i want to redirect the http traffic
> through the socks proxy
> > > to access th webapp. the setup is:
> > >
> > > browser {OUT 127.0.0.1:8080} ---> burp proxy
> --> socks proxy to
> > > webapp
> > >
> > > i am not sure how to make burp talk to the socks
> proxy. i used
> > > proxychains but i am not able to make it work.
> > >
> > > any suggestions are much appreciated. any other
> alternate methods
> > > would be nice.
> > >
> > > thank you, learner
> > The work-in-progress OWASP Proxy library (and sample
> app) supports
> > upstream and downstream SOCKS proxies. i.e. it can act
> as a SOCKS proxy,
> > and it can connect through an upstream SOCKS proxy. It
> can also act as a
> > regular HTTP proxy, allowing:
> >
> > [browser] --(HTTP Proxy)--> [burp] --(HTTP
> Proxy)--> [OWASP Proxy]
> > --(SOCKS)--> [socks proxy]--> [server]
> >
> > This is probably not ideal, though.
> >
> > You *may* be able to convince burp to use an upstream
> SOCKS proxy by
> > setting the appropriate Java environment variables.
> See:
> >
> <http://java.sun.com/javase/6/docs/technotes/guides/net/proxies.html>
> > I don't think that this supports authentication to
> the upstream SOCKS
> > Proxy, though. If you need upstream authentication,
> you may need to hack
> > something together using JSOCKS, for example.
> >
> > Rogan

      

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------