[OWASP-WEBSCARAB] security question

Jad Boutros jad at google.com
Thu Apr 14 00:50:22 EDT 2005 

Hi Stephen,

One comment inline.

Cheers,
Jad

Stephen Venter wrote:
> Hi Ben
> 
> Since WebScarab is an intercepting proxy tool, it operates by
> terminating every individual request initiated by your browser (i.e.
> WebScarab is the destination site, at a base level, as far as the web
> browser client is concerned) and then it establishes an onward
> connection to the actual destination site by initiating a separate
> connection to that site (completely separate from the original
> connection from the browser client) - so as far as the destination web
> server is concerned, WebScarab is the browser client.
> 
> Anyway, what I am trying to say with all that waffle, is: YES, it is
> decrypting ALL the SSL-encrypted traffic coming from the target web
> server. In fact, it is decrypting it - i.e. into the clear text you
> see in the corresponding conversation log entry as the particular
> "Response" portion of a particular communication stream; and then
> re-encrypting it again in another (separate) communication stream
> which takes place between WebScarab and your browser client (Opera,
> IE, Firefox, etc).
> 
> In order to accomplish this, it needs to be able to communicate with
> your browser via SSL, and to accomplish that it needs to have an SSL
> certificate of its own to present to your browser when your browser
> wants to start an encrypted "conversation".
> 
> As far as I am aware (please correct me if I am wrong, Rogan) there
> isn't likely to be any code in the WebScarab program source code that
> you are going to be able to "modify" to stop that SSL alert that pops
> up each time you connect to an HTTPS site (via WebScarab). The reason
> for that alert which pops up is as a result of THE CODE IN THE BROWSER
> CLIENT program, not the code in WebScarab. This code is checking to
> see whether the SSL certificate's details match the target site you
> are browsing to (amongst other things) - which implements a necessary
> security check designed to help a user identify, for example, when
> their connection is being proxied through a man-in-the-middle tool,
> like WebScarab!  So that alert is there because, say you are browsing
> to https://www.paypal.com, but the SSL certificate that the browser
> sees says it comes from "WebScarab" (of course!) - and since the text
> string "www.paypal.com"  is NOT the same as the text string
> "WebScarab" you get this alert. Here is an example of the text taken
> from one such alert generated by my Opera browser:

You can replace the WebScarab default private key/certificate by 
substituting the server.p12 file inside the WebScarab jar file 
(webscarab.jar) with one containing your own private key/certificate.

There are instructions on how to do this in doc/certificates.html. I 
tried it and it worked for me.

If you have your own CA that you can import into the browser (for 
testing purposes only) and you create a private key/certificate for 
WebScarab with the same CN as the site you are testing, the browser will 
no longer show a warning. This assumes that you have a CA and that you 
are testing one site in particular (or sites under the same domain).

Removing the warning is not really useful on its own but there might be 
situations under which you need to assign WebScarab a valid certificate. 
  An example might be when you are proxying requests from a client that 
is not a browser but rather a stand-alone application (that say uses 
WinInet) and that will drop the connection when it fails to validate the 
server certificate (in this case the WebScarab certificate).

I believe this is too much info for Ben's original question - that you 
answered well - but I found it useful under some situations.

> 
> '- The server's name "www.paypal.com" does not match the certificate's
> name "WebScarab". Somebody may be trying to eavesdrop on you.
> - The root certificate from "WebScarab" is not known to Opera. Opera
> cannot decide if this certificate can be trusted.'
> 
> So Opera is warning me here that someone may be "eavesdropping" on my
> conversation / browser session - which is EXACTLY RIGHT! It is exactly
> why I put WebScarab there, "in the middle", to eavesdrop on the
> conversation, log it, and perform other more interesting things on it
> too! But I certainly wouldn't use it as a proxy when I go about my
> normal browsing business and when I do my normal transactions via the
> internet, etc
> 
> So I would say you SHOULD feel intimidated by those SSL alert pop-ups
> if you don't know why they are there.  However, hopefully this note
> will help enhance the understanding of the reasons for those alerts….
> And why they are EXPECTED when you use a man-in-the-middle proxy like
> WebScarab (as opposed to a "pass-through" proxy). Security testing, by
> its nature, is performing tasks that are considered "dodgy", so say
> the least, by "normal users" of the internet… which is when security
> testers start getting accused of being crackers / hackers ;-}
> 
> Cheers
> Steve
> 
> 
> On 4/13/05, Ben <brtompkins at comcast.net> wrote:
> 
>>Great job guys!
>>
>>BTW, I certainly hope that WebScarab is decrypting all (presumably)
>>SSL-encrypted
>>traffic, because I can read my bank account PIN number directly out of
>>the log in clear text,
>>but it did take me about 15 seconds to find it,  duh: ...&pin=xxxx&...
>>But what if the SSL
>>padlock was fake and all my personal data was really being sent in clear
>>text? Would this
>>elicit any sort of a warning from WebScarab, or at least an exception
>>message of some sort?
>>What would such an exception look like?
>>
>>Also, since I'm too lazy to do the research, could someone just tell me
>>which lines to  cut out
>>of the source code if I want to create a modified version of WS that
>>doesn't issue all those
>>irritating certificate mismatch warnings? I know that you can disable
>>the warnings by adding
>>WS to your trusted store, but some people might be intimidated by those
>>warnings,
>>and may not feel comfortable trusting WS, even for just one session.
>>
>>TIA,
>>
>>Ben Tompkins
>>
>>-------------------------------------------------------
>>SF email is sponsored by - The IT Product Guide
>>Read honest & candid reviews on hundreds of IT Products from real users.
>>Discover which products truly live up to the hype. Start reading now.
>>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>>_______________________________________________
>>Owasp-webscarab mailing list
>>Owasp-webscarab at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/owasp-webscarab
>>
> 
> 
>

More information about the Owasp-webscarab mailing list