[WEB SECURITY] Looking For Some Proxy Advice

Brian Shura bshura73 at att.net
Fri Aug 21 02:03:40 EDT 2009


Arian,
You're right, proxies like WebScarab and Paros work great for manual testing
and for troubleshooting specific scanner problems, but try to run a big scan
through them and they start acting flaky pretty quickly because that's just
not what they're designed for.

I ended up solving this problem by having some network changes made that
allowed me to avoid using a proxy altogether.  Running a web application
scan through a chain of 2 proxies was just asking for trouble, and could
have led to false negatives due to one or more of the proxies preventing
certain attacks from getting through.

Thanks everyone for the suggestions.  

Thanks,
Brian
 

-----Original Message-----
From: arian.evans at gmail.com [mailto:arian.evans at gmail.com] On Behalf Of
Arian J. Evans
Sent: Thursday, August 20, 2009 11:57 AM
To: Mark Feferman; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Looking For Some Proxy Advice

I have always had severe memory-leak issues with Webscarab trying to run
automated requests in volume through it. Suspect Brian has too.

Never tried with Burp - though I am sure some of the engineers I work with
have. Let me ask them.


--
Arian Evans



On Thu, Aug 20, 2009 at 11:14 AM, Mark
Feferman<Mark.Feferman at halliburton.com> wrote:
> What about WebScarab?  I think it supports all of these things.
>
>
>
>
>
> From: Brian Shura [mailto:bshura73 at gmail.com]
> Sent: Thursday, August 20, 2009 12:21 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Looking For Some Proxy Advice
>
>
>
> Does anyone know of a free HTTP proxy that can be easily installed on a
> desktop and has the following capabilities?
>
>
>
> 1.  Ability to configure an outgoing proxy server.
>
> 2.  Support for an outgoing proxy server that requires NTML
authentication.
>
> 3.  Ability to define a "proxy bypass list" so that the outgoing proxy
> server is not used for specific IP addresses or hostnames.
>
> 4.  Ability to point a web application scanner at this proxy and run a
scan
> through the proxy without the proxy bogging down and crashing.
>
>
>
> Paros supports items 1, 2, and 3 above but doesn't seem to be designed to
> route a large number of requests through it since it's more of a manual
> testing tool and is trying to store all the HTTP requests/responses.  In
> this case I'm not really interested in storing or viewing the HTTP
> requests/responses, just need a way to intelligently route requests to
> certain hostnames through an outgoing proxy server and bypass the outgoing
> proxy server for other hostnames.
>
>
>
> Thanks,
> Brian
>
> ________________________________
> This e-mail, including any attached files, may contain confidential and
> privileged information for the sole use of the intended recipient. Any
> review, use, distribution, or disclosure by others is strictly prohibited.
> If you are not the intended recipient (or authorized to receive
information
> for the intended recipient), please contact the sender by reply e-mail and
> delete all copies of this message.
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list