Empathy List Archives

VJ

Vernon Jones

Mon, Nov 5, 2012 12:16 PM

Hi All

I currently looking for a Silverlight wep app security scanner, the proxy that I know of that interprets WCF packets is CAT. Any other tools anyone knows about?

Regards

Vernon
#############################################################################################
The information transmitted is intended only for the person or entity to which it
is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the sender and
delete the material from any computer.

Furthermore, the information contained in this message, and any attachments thereto, is
for information purposes only and may contain the personal views and opinions of the
author, which are not necessarily the views and opinions of the company.
#############################################################################################

Hi All I currently looking for a Silverlight wep app security scanner, the proxy that I know of that interprets WCF packets is CAT. Any other tools anyone knows about? Regards Vernon ############################################################################################# The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Furthermore, the information contained in this message, and any attachments thereto, is for information purposes only and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of the company. #############################################################################################

R

rgutie01@gmail.com

Mon, Nov 5, 2012 3:39 PM

A colleague of mine wrote a WCF decoder/encoder plugin for burp a while
back. It might not work for more current versions of the WCF protocol but
it might be worth checking out.

http://blog.gdssecurity.com/labs/2009/11/19/wcf-binary-soap-plug-in-for-burp.html
https://github.com/GDSSecurity/WCF-Binary-SOAP-Plug-In

On Mon, Nov 5, 2012 at 7:16 AM, Vernon Jones Vernon.Jones@derivco.comwrote:

Hi All

I currently looking for a Silverlight wep app security scanner, the proxy
that I know of that interprets WCF packets is CAT. Any other tools anyone
knows about?

Regards

Vernon

#############################################################################################
The information transmitted is intended only for the person or entity to
which it
is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of
any action
in reliance upon, this information by persons or entities other than the
intended
recipient is prohibited. If you received this in error, please contact the
sender and
delete the material from any computer.

Furthermore, the information contained in this message, and any
attachments thereto, is
for information purposes only and may contain the personal views and
opinions of the
author, which are not necessarily the views and opinions of the company.

#############################################################################################

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

--
Ron Gutierrez

A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out. http://blog.gdssecurity.com/labs/2009/11/19/wcf-binary-soap-plug-in-for-burp.html https://github.com/GDSSecurity/WCF-Binary-SOAP-Plug-In On Mon, Nov 5, 2012 at 7:16 AM, Vernon Jones <Vernon.Jones@derivco.com>wrote: > Hi All > > I currently looking for a Silverlight wep app security scanner, the proxy > that I know of that interprets WCF packets is CAT. Any other tools anyone > knows about? > > Regards > > > Vernon > > ############################################################################################# > The information transmitted is intended only for the person or entity to > which it > is addressed and may contain confidential and/or privileged material. > Any review, retransmission, dissemination or other use of, or taking of > any action > in reliance upon, this information by persons or entities other than the > intended > recipient is prohibited. If you received this in error, please contact the > sender and > delete the material from any computer. > > Furthermore, the information contained in this message, and any > attachments thereto, is > for information purposes only and may contain the personal views and > opinions of the > author, which are not necessarily the views and opinions of the company. > > ############################################################################################# > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -- *Ron Gutierrez*

MW

Marc Wickenden

Mon, Nov 5, 2012 5:11 PM

On 5 Nov 2012, at 15:39, rgutie01@gmail.com wrote:

A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out.

+1 on the GDS plugin. I actually had a WCF service I had to decode fairly recently which was using Fastinfoset XML encoding so I expanded on the work done by GDS to develop a plugin to do that.

The output of that actually resulted in a workshop on Burp Plugin development which may be useful in this scenario if you decide to code something up? The code is at https://github.com/7Elements/burp_workshop and the slides are at https://docs.google.com/a/offensivecoder.com/presentation/d/1vs1dJw646pmooJ6D2JbJk6nE84aPBquPALA86lzSb-Y/edit?pli=1#slide=id.p5.

All of that (blatant self-promotion ;-)) aside, your best bet is probably Fiddler though. http://www.fiddler2.com/fiddler2/.

If you decide to go down the Burp route give me a shout, would be happy to give you pointers if necessary.

Cheers,

Marc
@marcwickenden

On 5 Nov 2012, at 15:39, rgutie01@gmail.com wrote: > A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out. +1 on the GDS plugin. I actually had a WCF service I had to decode fairly recently which was using Fastinfoset XML encoding so I expanded on the work done by GDS to develop a plugin to do that. The output of that actually resulted in a workshop on Burp Plugin development which may be useful in this scenario if you decide to code something up? The code is at https://github.com/7Elements/burp_workshop and the slides are at https://docs.google.com/a/offensivecoder.com/presentation/d/1vs1dJw646pmooJ6D2JbJk6nE84aPBquPALA86lzSb-Y/edit?pli=1#slide=id.p5. All of that (blatant self-promotion ;-)) aside, your best bet is probably Fiddler though. http://www.fiddler2.com/fiddler2/. If you decide to go down the Burp route give me a shout, would be happy to give you pointers if necessary. Cheers, Marc @marcwickenden

PS

Prasad Shenoy

Mon, Nov 5, 2012 9:59 PM

I had read that the WCF plugin was no longer necessary since version 1.4+ had built in functionality to decode WCF.

I have tested a few SL apps in the past and Burp has suited well.

Although, I also have used the GDS WCF plugin for the same in older versions of Burp.

Really depends on what you are trying to do but Burp might be a good start. Go Pro if you can :)

Thank you,
Prasad N. Shenoy

On Nov 5, 2012, at 12:11 PM, Marc Wickenden marc@offensivecoder.com wrote:

On 5 Nov 2012, at 15:39, rgutie01@gmail.com wrote:

A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out.

+1 on the GDS plugin. I actually had a WCF service I had to decode fairly recently which was using Fastinfoset XML encoding so I expanded on the work done by GDS to develop a plugin to do that.

The output of that actually resulted in a workshop on Burp Plugin development which may be useful in this scenario if you decide to code something up? The code is at https://github.com/7Elements/burp_workshop and the slides are at https://docs.google.com/a/offensivecoder.com/presentation/d/1vs1dJw646pmooJ6D2JbJk6nE84aPBquPALA86lzSb-Y/edit?pli=1#slide=id.p5.

All of that (blatant self-promotion ;-)) aside, your best bet is probably Fiddler though. http://www.fiddler2.com/fiddler2/.

If you decide to go down the Burp route give me a shout, would be happy to give you pointers if necessary.

Cheers,

Marc
@marcwickenden

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

I had read that the WCF plugin was no longer necessary since version 1.4+ had built in functionality to decode WCF. I have tested a few SL apps in the past and Burp has suited well. Although, I also have used the GDS WCF plugin for the same in older versions of Burp. Really depends on what you are trying to do but Burp might be a good start. Go Pro if you can :) Thank you, Prasad N. Shenoy On Nov 5, 2012, at 12:11 PM, Marc Wickenden <marc@offensivecoder.com> wrote: > On 5 Nov 2012, at 15:39, rgutie01@gmail.com wrote: > >> A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out. > > +1 on the GDS plugin. I actually had a WCF service I had to decode fairly recently which was using Fastinfoset XML encoding so I expanded on the work done by GDS to develop a plugin to do that. > > The output of that actually resulted in a workshop on Burp Plugin development which may be useful in this scenario if you decide to code something up? The code is at https://github.com/7Elements/burp_workshop and the slides are at https://docs.google.com/a/offensivecoder.com/presentation/d/1vs1dJw646pmooJ6D2JbJk6nE84aPBquPALA86lzSb-Y/edit?pli=1#slide=id.p5. > > All of that (blatant self-promotion ;-)) aside, your best bet is probably Fiddler though. http://www.fiddler2.com/fiddler2/. > > If you decide to go down the Burp route give me a shout, would be happy to give you pointers if necessary. > > Cheers, > > Marc > @marcwickenden > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

VJ

Vernon Jones

Tue, Nov 6, 2012 11:06 AM

Thanx Dude

From: rgutie01@gmail.com [mailto:rgutie01@gmail.com]
Sent: 05 November 2012 05:39 PM
To: Vernon Jones
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Sliverlight

A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out.

http://blog.gdssecurity.com/labs/2009/11/19/wcf-binary-soap-plug-in-for-burp.html
https://github.com/GDSSecurity/WCF-Binary-SOAP-Plug-In
On Mon, Nov 5, 2012 at 7:16 AM, Vernon Jones <Vernon.Jones@derivco.com mailto:Vernon.Jones@derivco.com> wrote:
Hi All

I currently looking for a Silverlight wep app security scanner, the proxy that I know of that interprets WCF packets is CAT. Any other tools anyone knows about?

Regards

Vernon
#############################################################################################
The information transmitted is intended only for the person or entity to which it
is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the sender and
delete the material from any computer.

Furthermore, the information contained in this message, and any attachments thereto, is
for information purposes only and may contain the personal views and opinions of the
author, which are not necessarily the views and opinions of the company.
#############################################################################################

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

--
Ron Gutierrez

#############################################################################################
The information transmitted is intended only for the person or entity to which it
is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the sender and
delete the material from any computer.

Furthermore, the information contained in this message, and any attachments thereto, is
for information purposes only and may contain the personal views and opinions of the
author, which are not necessarily the views and opinions of the company.
#############################################################################################

Thanx Dude From: rgutie01@gmail.com [mailto:rgutie01@gmail.com] Sent: 05 November 2012 05:39 PM To: Vernon Jones Cc: websecurity@lists.webappsec.org Subject: Re: [WEB SECURITY] Sliverlight A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out. http://blog.gdssecurity.com/labs/2009/11/19/wcf-binary-soap-plug-in-for-burp.html https://github.com/GDSSecurity/WCF-Binary-SOAP-Plug-In On Mon, Nov 5, 2012 at 7:16 AM, Vernon Jones <Vernon.Jones@derivco.com<mailto:Vernon.Jones@derivco.com>> wrote: Hi All I currently looking for a Silverlight wep app security scanner, the proxy that I know of that interprets WCF packets is CAT. Any other tools anyone knows about? Regards Vernon ############################################################################################# The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Furthermore, the information contained in this message, and any attachments thereto, is for information purposes only and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of the company. ############################################################################################# _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org<mailto:websecurity@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -- Ron Gutierrez ############################################################################################# The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Furthermore, the information contained in this message, and any attachments thereto, is for information purposes only and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of the company. #############################################################################################