Paros Proxy detailed tutorials - security-testing

Can anyone suggest, where to find out detailed tutorials on Paros Proxy, I mean how to test application with paros. The information provided in concern site is not enough as it suggest only its use, I want like how to put SQL injection or XSS etc. Please suggest some help. Thanks in advance.

As such, paros proxy does not have documented tutorials. Have you given it a try first?
To get things started, first of all configure your browser for a proxy at localhost and a port.
Now you would have to set a local proxy in Paros Proxy from Tools -> Options -> Local Proxy. Set the address & port to the values which were set in the browser.
Go to the "Trap" tab in Paros and tick the checkboxes "Trap Request" and "Trap Response".
Load the url of the website you are testing on the browser. This http request will be intercepted in Paros Proxy. Now you can change the parameters as you like for testing.
I would also suggest you to try ZAP Proxy as well. This has been forked out of Paros Proxy itself. It has a decent level of documentation as well.

You can find the details from the following PDF:
http://www.sela.co.il/_Uploads/dbsAttachedFiles/paros_user_guide.pdf

Related

How to write a program which would help me to access to data with https in URL

Recently I've been using python to access to web pages with http as the protocol but it is getting out of my hands to access to web pages which have https as their host.Please can someone help to learn the right procedure to solve this error.
It is a little bit easier, you must use the module requests to access url, but you must especify Not Secure in the settings of your requests.get line, use the argument verify=False
Use the following:
r = requests.get('https://m.facebook.com/josue.carranza.56884761', verify=False)

AppEngine authentication through Node.js

I'm trying to write a VSCode extension where users could log into Google AppEngine with a google account, and I need to get their SACSID cookie to make appengine requests.
So I'm opening a browser window at
https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttp://localhost:3000/
(generated by google.appengine.api.users.create_login_url)
The user logs in and is redirected to my local webserver at
localhost:3000/_ah/conflogin/?state={state}
Now I try to forward the request to my AppEngine app (since it knows how to decode the state parameter), so I do a request to
https://my-app.appspot.com/_ah/conflogin/?state={state}
basically just replacing localhost with the actual app.
but it doesn't work, presumably because the domain is different. I assume this is on purpose, for security.
Is there any way I can make this work ?
Not ideal, but the only solution I've found is to have an endpoint on my GAE instance that does the redirection. Then I can set that as the continue url, when I'm starting the authentication process
https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://my-app.appspot.com/redirect?to=http://localhost:3000
I think you should center the attention on the protocols you are using, since it’s known that the cookie name is based on the http protocol (HTTP : ACSID, HTTPS:SACSID), and that’s the security perspective till this point for me.
Having the error you are facing now would be helpful to understand the problem better. Also, how are you performing the call to the API and the code you are using would be helpful too.

SOAP UI not able to talk to Salesforce whereas browser can

I am not able to connect to https://test.salesforce.com/services/oauth2/token form SoapUI (ver 5.2.1). I have tried the PRO version and other older versions (4.6.xx) as well.
I can access the website from the web-browser. The GET to this URL gives me the response where as SOAPUI says HttpHostConnectException connection to https://test.salesforce.com/ refused.
I have checked that there is direct connection available from my PC to this address. I have tried adding https.proxyHost and https.proxyPort settings in soapui.vmoptions and sopaui.bat but of no use.
I have also tried playing around with Preemptive Authentication settings in SOAPUI without success
My organization has firewall which has white listed this address. I have also confirmed that firewall settings does allow to connect thru non standard clients (such as ApacheHttpClient).
If I use a Java Program using URLConnection using the proxy, it works.
At this point it seems to me that SOAPUI is not honoring the proxy settings.
Please share if anyone has similar experience and how did they resolve it.
Regards
Ash

location of $http.get('xxx/xxx/xxx', parameter)

I'm new to angularjs. I'm working on a angularjs project which was started by other ppl. In the code, some functions are defined as the format $http('url', parameters). The urls are something like 'abc/def/hijk'. I want to modify the functions but I cannot find the location of the urls. where can I find the source files given the links? thanks.
Is this more of an environment/domain question?
$http is just an angular core service for make http requests.
When you say
I want to modify the functions but I cannot find the location of the urls. where can I find the source files given the links?
That is a very open ended question. If for example my angular site is hosted at http://mysite.local and the links looks like $http.get('/someUrl', config), then I would visit http://mysite.local/someUrl to see what is there. If it is in fact connecting to the same domain then ping it.
ping mysite.local
Whatever IP address you get back you may be able to resolve the hostname
ping -a 192.168.0.80
If this was a windows machine you could rdc and check the iis instance, otherwise ssh and check whats hosting on port 80?
Essentially what I'm getting at is... we don't no where your predecessor may have stored source or what your environment is setup like but with some investigation you may be able to shed some light.

Silverlight and SSL Client Certificates

Can anyone point me in the right direction of how I can use SSL client-side certificates with Silverlight to access a restful web service?
I can't seem to find anything on how to handle them, or even whether they are supported.
Cheers.
Slipjig mentioned this:
"The browser stack does, and pretty much automatically, if you're willing to live with its other limitations (lack of support for all HTTP verbs, coercion of response status codes, etc.)."
If that is acceptable to you, look at how Microsoft themselves deal with this in some of their APIs using the custom X-HTTP-Method header, like how they do it for WCF and OData:
http://www.odata.org/developers/protocols/operations
In MSDN, Microsoft also mentions this about using REST in conjunction with SharePoint 2010's WCF based REST API:
msdn.microsoft.com/en-us/library/ff798339.aspx
"In practice, many firewalls and other network intermediaries block HTTP verbs other than GET and POST. To work around this issue, WCF Data Services (and the OData standard) support a technique known as "verb tunneling." In this technique, PUT, DELETE, and MERGE requests are submitted as a POST request, and an X-HTTP-Method header specifies the actual verb that the recipient should apply to the request. For more information, see X-HTTP-Method on MSDN and OData: Operations (the Method Tunneling through POST section) on the OData Web site."
Don Box's also had some words about this, but regarding GData specifically:
www.pluralsight-training.net/community/blogs/dbox/archive/2007/01/16/45725.aspx
"If I were building a GData client, I honestly wonder why I'd bother using DELETE and PUT methods at all given that X-HTTP-Method-Override is going to work in more cases/deployments."
There's an article about Silverlight and Java interop which also addresses this limitation of Silverlight by giving the same advice:
www.infoq.com/articles/silverlight-java-interop
"Silverlight supports only the GET and POST HTTP methods. Some firewalls restrict the use of PUT and DELETE HTTP methods.
It is important to point out that true RESTful service can be created (conforming to all the REST principles listed above) only using the GET and POST HTTP methods, in other words the REST architecture does not require a specific mapping to HTTP. Google’s GData X-Http-Method-Override header is an example of this approach.
The following HTTP methods overrides may be set in the header to accomplish the PUT and DELETE actions if the web services interpret the X-HTTP-Method-Override header on a POST:
* X-HTTP-Method-Override: PUT
* X-HTTP-Method-Override: DELETE"
Hope this helps
-Josh
It depends on whether you're using the browser HTTP stack or the client HTTP stack. The client stack does not support client certificates, period. The browser stack does, and pretty much automatically, if you're willing to live with its other limitations (lack of support for all HTTP verbs, coercion of response status codes, etc.).
I have however been running into a problem using the browser stack with client certificates in an OOB scenario. Prism module loading fails under these conditions - the request gets to IIS, but causes a 500 server error for no apparent reason. If I set IIS to ignore client certs, or if I run the app in-browser, it works fine :-/
take a look at this.
http://support.microsoft.com/kb/307267
just change your urls to https
hope this helps
Dim url As Uri = New Uri(Application.Current.Host.Source, "../WebService.asmx")
Dim binding As New System.ServiceModel.BasicHttpBinding
If url.Scheme = "https" Then
binding.Security.Mode = ServiceModel.BasicHttpSecurityMode.Transport
End If
binding.MaxBufferSize = 2147483647 'this value set to override a bug,
binding.MaxReceivedMessageSize = 2147483647 'this value set to override a bug,
Dim proxy As New ServiceReference1.WebServiceSoapClient(binding, New ServiceModel.EndpointAddress(url))
proxy.InnerChannel.OperationTimeout = New TimeSpan(0, 10, 0)

Resources