Hi Huan,
If you can set the host name or server IP you can use a proxy that can act
as a reverse proxy, for example WebScarab (I don't know if Paros or Burp can).
If the application uses a host name that is embedded in the code, you could
still use a reverse proxy by editing your hosts file to point this name to the
local machine.
I'm not aware of any transparent reverse proxy that can change traffic.
One caveat might be SSL usage. Whether using a reverse proxy would work or not
depends on the level of certificate validation done. For sure client side
certificates would make using a reverse proxy impossible. Server side
certificates might work if the application is not fuzzy about them.
~ Ofer Shezaf
ofers@breach.com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119
CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set
Project;
-----Original Message-----
From: Huan Chi [mailto:ktriv3di@msn.com]
Sent: Tuesday, August 28, 2007 5:32 AM
To: websecurity@webappsec.org
Cc: pen-test@securityfocus.com
Subject: [WEB SECURITY] HTTP Proxy for thick clients
List,
I am testing a .NET thick client application using web services. I am
looking for an HTTP/TCP Proxy tool like PAROS / BURP which I can use to
see
the change the traffic. The application does not have a way to set
proxy
setting so I cannot use paros / burp and then do proxy chaining. Also,
everything on the tunnel is SSL, so ethereal is not much help
Also, any good tools to edit XML / SOAP traffic
Thanks for suggesstions in advance
-----------------------------------------------------------------------
-----
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
