Friday, March 25, 2005


With more and more applications becoming web-based, it's not unusual to have to break out an HTTP/HTTPS proxy for troubleshooting when issues come up. Packet traces are okay, and sometimes it's necessary to get down to that level, but often I just want to see the Request and Response headers as they are transmitted back and forth. Proxies which allow me to see the headers are great for troubleshooting at this level. Case in point, I was troubleshooting a web application last week where the web client was not sending a Request header to the server as expected. This involved a problem downloading a .PDF document over an SSL connection. Ultimately, a modification to the cache-control header was required.

When it comes time to do pen-testing, proxies that allow the Request header to be modified are valuable tools. Even if a developer uses POST to try and "hide" or "control" what is going back to the server, such a proxy allows an attacker to easily manipulate the Request header to send back whatever data is desired. Truth be told, a quickly modified web page can do the same, but that requires a teeny bit more work. The point is that if an application can't handle a manipulated request properly, the owner of that application has a problem. A recent case of this involves PayMaxx, who shut down its online W2 services after a customer demonstrated he could get to other W2s in the system simply by changing an ID number. As a matter of fact, modifying values for the Request field is one of the "tests" in OWASP's WebGoat application. WebGoat is a teaching tool designed to show web application weaknesses by allowing an individual to learn about and then practice exploiting a weakness.

The only reason I bring this up is as I was cycling through the blogs I keep track of, I found a new HTTP proxy tool, Fiddler. It looks like it allows some scripting and has a nice interface. I'll have to play with it some more. One thing it does not do, as of yet, is support HTTPS. The proxy I use is Achilles, which does support HTTPS. It also allows me to change the Request header, etc., and it's the one I used in my troubleshooting that .PDF download over SSL.


Post a Comment

Links to this post:

Create a Link

<< Home