[prev in list] [next in list] [prev in thread] [next in thread] 

List:       owasp-webscarab
Subject:    [Owasp-webscarab] NTLM authentication
From:       Martin Holst Swende <martin () swende ! se>
Date:       2010-04-22 19:27:44
Message-ID: 4BD0A330.6020406 () swende ! se
[Download RAW message or body]

Hi all,

I recently did some blackbox testing of a fat client which talked SOAP
with two servers, one HTTPS and one HTTP with NTLM Authentication. By
configuring webscarab as a reverse proxy and modifying the hosts-file on
the client computer, I was able to man-in-the-middle the https-traffic
easily. In order to make webscarab more transparent, I removed the
"Proxy-Forwarded-For" - header which was sent to the server.

When intercepting the http channel, which used NTLM auth, strange things
started happening. First of all, it seems that the version of ntlm was
ntlmssp, and when webscarab tried interpreting that there were
exceptions (trying to do string.substring("ntlmssp<binary
junk>".indexOf("domain/")). In the end, I disabled all
authentication-parsing done by webscarab, to just let the browser and
server sort it between themselves. That worked - sort of. When the
server responded with a 401, I was unable to intercept and modify the
following requests.  There is some internal loop which retries three
times when a 401 is hit, and I guess the manual intercept is never
called for those requests? (In the end I had to hardcode a
replace-function inside URLFetcher).

So, a couple of questions :
* I guess the authentication-parsing is done to allow spidering and
auto-fetching to reuse authentication. Is there any 'good' way to
disable it?
* Is it possible to intercept the retries after a 401 occurs ?
* If I want the proxy to be transparent to both server and client, is
there anything else than "Proxy-Forwarded-For" that should be removed ?

- And a few more about Owasp proxy :
I was thinking of setting up an owasp proxy instead - am I correct that
it does not do any authentication-parsing at all - and therefore would
have worked? Also - how would I go about setting Owasp Proxy  up as a
reverse proxy (transparently) ? 

Best regards,
Martin Holst Swende


_______________________________________________
Owasp-webscarab mailing list
Owasp-webscarab@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-webscarab
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic