'Re: [OWASP-WEBSCARAB] Updated WebScarab-NG jar uploaded'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       owasp-webscarab
Subject:    Re: [OWASP-WEBSCARAB] Updated WebScarab-NG jar uploaded
From:       Rogan Dawes <lists () dawes ! za ! net>
Date:       2006-06-28 13:42:01
Message-ID: 44A28729.2030109 () dawes ! za ! net
[Download RAW message or body]

William Stranathan wrote:
> One thing I'd LOVE to see in any of these MITM proxies is the ability
> to make a custom self-signed cert.
> 
> A lot of applications I deal with are thick clients that use HTTP.
> But because they're in Java, they have really strict certificate
> checking.  So I can trust the WebScarab cert in my JVM, but the
> hostname doesn't match.  It'd be nice to have a UI where I can change
> the cert that gets used (and keep the setting between restarts) so I
> can match the hostname of the target and trust that in the JVM.  Or if
> for some odd reason, I'm able to get the SK for the target, I'd like
> to be able to import that as the SSL server cert.
> 
> (This refers to server certs, not client certs - although it'd be nice
> of WebScarab remembered those settings as well).
> 
> w
> 

I actually have code for the current Webscarab that does this, using the 
BouncyCastle crypto libs. It was contributed by Brad Hill, I just 
haven't had a chance to integrate it properly.

As you say, what it does is generate server certs on the fly, signed by 
the WebScarab "CA cert". What you can do is export the CA cert, and then 
import that into your truststore, and you should be good to go.

Certs that it generates are stored in a keystore file, and can be reused 
on subsequent connections.

I've laid the infrastructure for this in the new WebScarab, too, since I 
agree that it is a good idea.

It will be trivial to extend the following method to choose an 
appropriate cert, or generate one as required.

public SSLSocketFactory getSslSocketFactory(String hostName, int port) {
     return getDefaultSslSocketFactory();
}

/**
  * @return Returns the sslSocketFactory.
  */
public SSLSocketFactory getDefaultSslSocketFactory() {
     if (sslSocketFactory == null) {
         try {
             KeyStore ks = KeyStore.getInstance("PKCS12");
             InputStream is = getClass().getClassLoader()
                 .getResourceAsStream("certificates/server.p12");
             if (is != null) {
                 char[] ksp = "password".toCharArray();
                 ks.load(is, ksp);
                 KeyManagerFactory kmf = KeyManagerFactory
                     .getInstance("SunX509");
                 char[] kp = "password".toCharArray();
                 kmf.init(ks, kp);
                 SSLContext sslcontext = SSLContext.getInstance("SSLv3");
                 sslcontext.init(kmf.getKeyManagers(), null, null);
                 sslSocketFactory = sslcontext.getSocketFactory();
             }
         } catch (KeyStoreException kse) {
         } catch (IOException ioe) {
         } catch (CertificateException ce) {
         } catch (NoSuchAlgorithmException nsae) {
         } catch (UnrecoverableKeyException uke) {
         } catch (KeyManagementException kme) {
         }
     }
     return sslSocketFactory;
}

Regards,

Rogan

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Owasp-webscarab mailing list
Owasp-webscarab@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-webscarab
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic