Hi All
I currently looking for a Silverlight wep app security scanner, the proxy that I know of that interprets WCF packets is CAT. Any other tools anyone knows about?
Regards
Vernon
#############################################################################################
The information transmitted is intended only for the person or entity to which it
is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the sender and
delete the material from any computer.
Furthermore, the information contained in this message, and any attachments thereto, is
for information purposes only and may contain the personal views and opinions of the
author, which are not necessarily the views and opinions of the company.
#############################################################################################
A colleague of mine wrote a WCF decoder/encoder plugin for burp a while
back. It might not work for more current versions of the WCF protocol but
it might be worth checking out.
http://blog.gdssecurity.com/labs/2009/11/19/wcf-binary-soap-plug-in-for-burp.html
https://github.com/GDSSecurity/WCF-Binary-SOAP-Plug-In
On Mon, Nov 5, 2012 at 7:16 AM, Vernon Jones Vernon.Jones@derivco.comwrote:
Hi All
I currently looking for a Silverlight wep app security scanner, the proxy
that I know of that interprets WCF packets is CAT. Any other tools anyone
knows about?
Regards
Vernon
#############################################################################################
The information transmitted is intended only for the person or entity to
which it
is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of
any action
in reliance upon, this information by persons or entities other than the
intended
recipient is prohibited. If you received this in error, please contact the
sender and
delete the material from any computer.
Furthermore, the information contained in this message, and any
attachments thereto, is
for information purposes only and may contain the personal views and
opinions of the
author, which are not necessarily the views and opinions of the company.
#############################################################################################
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Ron Gutierrez
On 5 Nov 2012, at 15:39, rgutie01@gmail.com wrote:
A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out.
+1 on the GDS plugin. I actually had a WCF service I had to decode fairly recently which was using Fastinfoset XML encoding so I expanded on the work done by GDS to develop a plugin to do that.
The output of that actually resulted in a workshop on Burp Plugin development which may be useful in this scenario if you decide to code something up? The code is at https://github.com/7Elements/burp_workshop and the slides are at https://docs.google.com/a/offensivecoder.com/presentation/d/1vs1dJw646pmooJ6D2JbJk6nE84aPBquPALA86lzSb-Y/edit?pli=1#slide=id.p5.
All of that (blatant self-promotion ;-)) aside, your best bet is probably Fiddler though. http://www.fiddler2.com/fiddler2/.
If you decide to go down the Burp route give me a shout, would be happy to give you pointers if necessary.
Cheers,
Marc
@marcwickenden
I had read that the WCF plugin was no longer necessary since version 1.4+ had built in functionality to decode WCF.
I have tested a few SL apps in the past and Burp has suited well.
Although, I also have used the GDS WCF plugin for the same in older versions of Burp.
Really depends on what you are trying to do but Burp might be a good start. Go Pro if you can :)
Thank you,
Prasad N. Shenoy
On Nov 5, 2012, at 12:11 PM, Marc Wickenden marc@offensivecoder.com wrote:
On 5 Nov 2012, at 15:39, rgutie01@gmail.com wrote:
A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out.
+1 on the GDS plugin. I actually had a WCF service I had to decode fairly recently which was using Fastinfoset XML encoding so I expanded on the work done by GDS to develop a plugin to do that.
The output of that actually resulted in a workshop on Burp Plugin development which may be useful in this scenario if you decide to code something up? The code is at https://github.com/7Elements/burp_workshop and the slides are at https://docs.google.com/a/offensivecoder.com/presentation/d/1vs1dJw646pmooJ6D2JbJk6nE84aPBquPALA86lzSb-Y/edit?pli=1#slide=id.p5.
All of that (blatant self-promotion ;-)) aside, your best bet is probably Fiddler though. http://www.fiddler2.com/fiddler2/.
If you decide to go down the Burp route give me a shout, would be happy to give you pointers if necessary.
Cheers,
Marc
@marcwickenden
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thanx Dude
From: rgutie01@gmail.com [mailto:rgutie01@gmail.com]
Sent: 05 November 2012 05:39 PM
To: Vernon Jones
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Sliverlight
A colleague of mine wrote a WCF decoder/encoder plugin for burp a while back. It might not work for more current versions of the WCF protocol but it might be worth checking out.
http://blog.gdssecurity.com/labs/2009/11/19/wcf-binary-soap-plug-in-for-burp.html
https://github.com/GDSSecurity/WCF-Binary-SOAP-Plug-In
On Mon, Nov 5, 2012 at 7:16 AM, Vernon Jones <Vernon.Jones@derivco.commailto:Vernon.Jones@derivco.com> wrote:
Hi All
I currently looking for a Silverlight wep app security scanner, the proxy that I know of that interprets WCF packets is CAT. Any other tools anyone knows about?
Regards
Vernon
#############################################################################################
The information transmitted is intended only for the person or entity to which it
is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the sender and
delete the material from any computer.
Furthermore, the information contained in this message, and any attachments thereto, is
for information purposes only and may contain the personal views and opinions of the
author, which are not necessarily the views and opinions of the company.
#############################################################################################
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Ron Gutierrez
#############################################################################################
The information transmitted is intended only for the person or entity to which it
is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the sender and
delete the material from any computer.
Furthermore, the information contained in this message, and any attachments thereto, is
for information purposes only and may contain the personal views and opinions of the
author, which are not necessarily the views and opinions of the company.
#############################################################################################