[OWASP-WEBSCARAB] security question
Ben
brtompkins at comcast.net
Wed Apr 13 12:46:43 EDT 2005
Great job guys!
BTW, I certainly hope that WebScarab is decrypting all (presumably)
SSL-encrypted
traffic, because I can read my bank account PIN number directly out of
the log in clear text,
but it did take me about 15 seconds to find it, duh: ...&pin=xxxx&...
But what if the SSL
padlock was fake and all my personal data was really being sent in clear
text? Would this
elicit any sort of a warning from WebScarab, or at least an exception
message of some sort?
What would such an exception look like?
Also, since I'm too lazy to do the research, could someone just tell me
which lines to cut out
of the source code if I want to create a modified version of WS that
doesn't issue all those
irritating certificate mismatch warnings? I know that you can disable
the warnings by adding
WS to your trusted store, but some people might be intimidated by those
warnings,
and may not feel comfortable trusting WS, even for just one session.
TIA,
Ben Tompkins
More information about the Owasp-webscarab
mailing list