If you use the Gregorian Calendar, then Happy New Year! Down here in South Africa, we've also ushered in a new year and in celebration SensePost is releasing source code for our in-house web proxy, Suru, under a BSD-style license.
When released in 2006, Suru introduced a number of unique features to the world of inline proxies including trivial fuzzing, token correlation and background directory brute-forcing. Further improvements include timing analysis and indexable directory checks. These were not available in other commercial proxies at the time, hence our need to write our own. Since then, most of these features have been incorporated into more full-featured commercial proxies, negating the need for Suru.
Internally, Suru use has dwindled and at this point the code is in maintenance-only mode. As such, it's being released to the world along with the rider that the software is end-of-life and unsupported.
Source code is available off the Suru webpage. Code will compile cleanly on VS 2005 though you'll need to add your own certificate in order to get SSL intercepts working.
Have a great year.
H said that there is a tool that will do the HTTP Mangler functionality out of the box.
So here goes. WebScarab-NG is the tool that will do the trick. First we select the feature that will allow us to setup the proxy listener as seen in the image below.
Then we need to configure the proxy listener to the ports etc we need as seen below.
And pretty instantly we have the HTTP Mangler functionality. Apparently this is going to become a feature of SURU as well!
So - here's the scenario.
Lohan is busy testing an application which uses remote web-services on a server called (example) www.target.com, but the program bypasses all proxy servers etc, making it impossible to trap and mangle requests.
So, we do the following:
1 - We make a note of the IP address of www.target.com (in this case, we'll assume it is 196.310.150.126 )
2 - Add a host entry in hosts, mapping www.target.com to 127.0.0.1
3 - Fire up a quick C# app written by yours truly which listens on 127.0.0.1:80
4 - Fire up a proxy server
5 - Configure the C# app to use proxy server 127.0.0.1:port of proxy
Now, the C# app does the following:
1 - Intercepts the HTTP request addressed to www.target.com
2 - Mangles the HTTP request to convert it into a proxied request (ie: Request "GET / HTTP/1.0" now becomes "GET http://188.8.131.52/ HTTP/1.0")
3 - Writes the request to the proxy server
4 - Writes the response back to the application
So, we're now able to intercept, fuzz, mangle etc all the requests and responses between the application and the web service. Not really rocket science, but rather handy...
The screenshot shows something similar, but using a web browser in place of the application here. I am using paros in this example because I am still doing large chunks of work on Suru...
A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to mess about duplicating an applications functionality at the protocol level.. Yesterday i had need to brute-force a web application which tried hard to be difficult and annoying..
This was quick and dirty, if i had more time i would have chosen to read the results and only screenshot results that didnt match "your credentials are invalid".. ahh.. for another day..
*** a word of warning.. AppleScript is described as "an English-like language used to create script files that control the actions of the computer and the applications that run on it." This english-like-ness makes it extremely obtuse at times..
In a subsequent version of the brute force, i wished to use the username from my list, and the users First Name as his password. Now this is an obvious call for a hash/dictionary/associative array.. The sparse documentation that i was able to find on AppleScript records did not appear to help me a jot (but this could just be poor google skills).
Instead i opted for saving the username and password as a ":" delimited string. I then split the string at runtime and submit as before.. ugly, but effective..
We are pleased to announce the release of Suru version 2.0, our MITM proxy.
Suru has now been rewritten to work with the .Net 2 runtime environment and includes all the features of the original 1.x stream, as well as numbers of enhancements and upgrades.
Features which have been added since the last 1.1 stable release include the following:
Please visit http://www.sensepost.com/research/suru for more information.