WebApp Sec mailing list archives

Re: testing webapp - socks and http proxy question

From: learn lids <learnlids () yahoo com>
Date: Wed, 14 Jan 2009 18:37:25 -0800 (PST)

hi ken,

thanks for the suggestion @ burp, i downloaded the new version, but i was getting an error. 

the webapp http://myinsecurewebapp.com redirects to https://myinsecurewebapp.com . i intercepted the traffic in burp, 
and saw this alert: 
"javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake". at the same time, what i see in 
my browser window is : "Burp proxy error: No response received from remote server"

i think the error is due to burp using its own cert? any suggestions on resolving this error are appreciated. 

thanks,
LL

--- On Sat, 1/10/09, K <rusty_johnson2 () yahoo com> wrote:

From: K <rusty_johnson2 () yahoo com>
Subject: Re: testing webapp - socks and http proxy question
To: "Rogan Dawes" <lists () dawes za net>
Cc: "learnlids () yahoo com" <learnlids () yahoo com>, "pen-test () securityfocus com" <pen-test () securityfocus 
com>, "webappsec () securityfocus com" <webappsec () securityfocus com>, "security-basics () securityfocus com" 
<security-basics () securityfocus com>
Date: Saturday, January 10, 2009, 6:57 AM
Burp comms tab, set burp to use proxy. The socks proxy is
your choice.

Ken

On Jan 9, 2009, at 4:39 AM, Rogan Dawes
<lists () dawes za net> wrote:

learn lids wrote:
hello everybody,

moderators : sorry about the cross-post, but i thoght this
question
is relevant to all these 3 lists.

i am trying to test a web app which is accessible by only a
socks
proxy. so i want to redirect the http traffic through the
socks proxy
to access th webapp. the setup is:

browser {OUT 127.0.0.1:8080} ---> burp proxy -->
socks proxy to
webapp

i am not sure how to make burp talk to the socks proxy. i
used
proxychains but i am not able to make it work.

any suggestions are much appreciated. any other alternate
methods
would be nice.

thank you, learner

The work-in-progress OWASP Proxy library (and sample app)
supports
upstream and downstream SOCKS proxies. i.e. it can act as a
SOCKS proxy,
and it can connect through an upstream SOCKS proxy. It can
also act as a
regular HTTP proxy, allowing:

[browser] --(HTTP Proxy)--> [burp] --(HTTP Proxy)-->
[OWASP Proxy]
--(SOCKS)--> [socks proxy]--> [server]

This is probably not ideal, though.

You *may* be able to convince burp to use an upstream SOCKS
proxy by
setting the appropriate Java environment variables. See:

<http://java.sun.com/javase/6/docs/technotes/guides/net/proxies.html>

I don't think that this supports authentication to the
upstream SOCKS
Proxy, though. If you need upstream authentication, you may
need to hack
something together using JSOCKS, for example.

Rogan

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security
Assessment 
With the rapid rise in the number and types of security
threats, web application security assessments should be
considered a crucial phase in the development of any web
application. What methodology should be followed? What tools
can accelerate the assessment process? Download this
Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security
Assessment 
With the rapid rise in the number and types of security
threats, web application security assessments should be
considered a crucial phase in the development of any web
application. What methodology should be followed? What tools
can accelerate the assessment process? Download this
Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------



      

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

testing webapp - socks and http proxy question learn lids (Jan 08)
- Re: testing webapp - socks and http proxy question Rogan Dawes (Jan 09)
- <Possible follow-ups>
- Re: testing webapp - socks and http proxy question K (Jan 10)
  - Re: testing webapp - socks and http proxy question learn lids (Jan 14)
- Re: testing webapp - socks and http proxy question Jack Mannino (Jan 10)
- Re: testing webapp - socks and http proxy question K (Jan 14)
- Re: testing webapp - socks and http proxy question learn lids (Jan 14)
- Re: testing webapp - socks and http proxy question learn lids (Jan 14)
  - Re: testing webapp - socks and http proxy question jack . a . mannino (Jan 15)
- Re: testing webapp - socks and http proxy question K (Jan 15)