From: Ofer Shezaf (OferS@Breach.com)
Date: Tue Aug 28 2007 - 10:24:35 EDT
Hi Huan,
If you can set the host name or server IP you can use a proxy that can act
as a reverse proxy, for example WebScarab (I don't know if Paros or Burp can).
If the application uses a host name that is embedded in the code, you could still use a reverse proxy by editing your hosts file to point this name to the local machine.
I'm not aware of any transparent reverse proxy that can change traffic.
One caveat might be SSL usage. Whether using a reverse proxy would work or not depends on the level of certificate validation done. For sure client side certificates would make using a reverse proxy impossible. Server side certificates might work if the application is not fuzzy about them.
~ Ofer Shezaf
ofers@breach.com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119
CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set Project;
> -----Original Message-----
> From: Huan Chi [mailto:ktriv3di@msn.com]
> Sent: Tuesday, August 28, 2007 5:32 AM
> To: websecurity@webappsec.org
> Cc: pen-test@securityfocus.com
> Subject: [WEB SECURITY] HTTP Proxy for thick clients
>
> List,
>
> I am testing a .NET thick client application using web services. I am
> looking for an HTTP/TCP Proxy tool like PAROS / BURP which I can use to
> see
> the change the traffic. The application does not have a way to set
> proxy
> setting so I cannot use paros / burp and then do proxy chaining. Also,
> everything on the tunnel is SSL, so ethereal is not much help
>
> Also, any good tools to edit XML / SOAP traffic
>
> Thanks for suggesstions in advance
>
>
>
>
> -----------------------------------------------------------------------
> -----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:04 EDT