[Owasp-delhi] Fwd: Thick client security testing

kishore kumar mindsec at gmail.com
Wed Aug 18 23:29:18 EDT 2010


Hi,

Using Echo Mirage one can send data more than the assigned buffer.
When Echo Mirage intercepts data, suppose say there is a parameter 'a'.
Normally we can change it to only 1 byte data like say 'b' , '1' etc.
Instead of doing this, if you want to send more data than the assigned
buffer,
I want to try injections in the parameter 'a'
Eg:  ' or 1=1--

so one can copy this from notepad or anywhere and go to Echo mirage
interceptor and select the parameter in this case 'a' and say ctrl+v. Echo
mirage ask you to select the data format, select Text the first option and
say OK. Now 'a' will be replaced with '' or 1=1--' .

Try this and out and correct me if i am wrong.

On Wed, Aug 18, 2010 at 4:22 PM, ronnie johndas <ronnie.johndas at gmail.com>wrote:

> Hi Robin,
>
> These are some of the problem with the tool:
>
> 1. Multithread communication : many thread sending data, makes it
> impossible to find the packet to edit,
> there maybe one thread that works like a poller if a timeout occurs on that
> thread because u are busy editing value in packet sent from some other
> thread it halts the process.
>
> 2. U can only change values in the assigned buffer, if the intercepted data
> is 10 bytes u can't make it send 11 bytes.
>
> 3. Uses API hooking, because of that is very crash prone.
> the best and reliable way is to put break points using a debugger on
> (ws2_32.dll) open and recieve functions and edit the values before it sends,
> using a debugger all the three above problems gets solved. Gives u leg space
> to inject ur data.
>
> Ollydbg,pydbg,immunity is a good debugger, u can write scipts in them to
> automate what ever ur trying.
>
> On Tue, Aug 17, 2010 at 6:09 PM, Robin Tiwari <tiwari.robin at gmail.com>wrote:
>
>>
>>
>>
>> Dear Padma;
>>
>> For the exe client , the echo mirage tool is best to intercept the data
>> from client to server. May i know what is issue with this tool with you ?
>>
>>
>>
>>
>>
>>   On Tue, Aug 17, 2010 at 12:40 PM, <padmasriramiyer at hsbc.co.in> wrote:
>>
>>>
>>> Firstly thanks All for the quick responses.
>>>
>>> I tried Echo Mirage, wireshark and ITR, but scope became very limited. I
>>> would definitely try out the other options suggested.
>>>
>>> I found another tool JavaSnoop, but i think we can only snoop a jar file.
>>> My app is an exe client. Has anybody worked on it? Any suggestions about it?
>>>
>>>
>>> Best regards,
>>> *Padma Sriram Iyer*
>>> Senior Security Analyst
>>> GLT Information Security Risk
>>> HSBC Technology and Services - Global Technology
>>> _______________________________________________________________________
>>>
>>> Phone.     91 20 6642 2285
>>> Tieline.     71 91 20 2285
>>> Email.       *padmasriramiyer at hsbc.co.in* <padmasriramiyer at hsbc.co.in>
>>> _______________________________________________________________________
>>>
>>>
>>>   From: Dharmesh M Mehta <Dharmesh.Mehta at mastek.com> To: Padma Sriram
>>> IYER/ITD GLT/HSDI/HSBC at HSBC03, "owasp-delhi at lists.owasp.org" <
>>> owasp-delhi at lists.owasp.org> Date: 17/08/10 04:47 PM Subject: RE:
>>> [Owasp-delhi] Thick client security testing
>>> ------------------------------
>>>
>>>
>>>
>>> Hi Padma,
>>>
>>> I have personally found Echo Mirage tool useful for security testing of a
>>> thick client application.
>>> Like a proxy tool for testing web application, Echo Mirage can be used to
>>> intercept and modify the request from the client to the server and perform
>>> most of your validation related attacks.
>>>
>>>
>>> Thanks & Regards,
>>>
>>> Dharmesh Mehta, CISSP
>>> Security Specialist - Technology Engineering & Consulting Group
>>> Mastek Ltd | MNDC, MBP Mahape, Navi Mumbai, India | (T) 91 22 6791 4646
>>> Extn - 5469 | Mobile: 91 9730002132
>>> *http://smartsecurity.blogspot.com* <http://smartsecurity.blogspot.com/>
>>>
>>> *From:* owasp-delhi-bounces at lists.owasp.org [
>>> mailto:owasp-delhi-bounces at lists.owasp.org<owasp-delhi-bounces at lists.owasp.org>]
>>> *On Behalf Of *padmasriramiyer at hsbc.co.in*
>>> Sent:* Tuesday, August 17, 2010 10:11 AM*
>>> To:* owasp-delhi at lists.owasp.org; owasp-delhi-bounces at lists.owasp.org*
>>> Subject:* [Owasp-delhi] Thick client security testing
>>>
>>>
>>> Hi guys,
>>>
>>> Can anyone please guide me how to proceed with security testing of Java
>>> application i.e. a thick client?
>>>
>>>
>>> Best regards, *
>>> Padma Sriram Iyer*
>>> Senior Security Analyst
>>> GLT Information Security Risk
>>> HSBC Technology and Services - Global Technology
>>> _______________________________________________________________________
>>>
>>> Phone.     91 20 6642 2285
>>> Tieline.     71 91 20 2285
>>> Email.       *padmasriramiyer at hsbc.co.in* <padmasriramiyer at hsbc.co.in>
>>> _______________________________________________________________________
>>>
>>> ************************************************************
>>> HSBC Software Development (India) Pvt Ltd
>>> HSBC Center Riverside,West Avenue ,
>>> 25 B Kalyani Nagar Pune  411 006 INDIA
>>>
>>> Telephone: +91 20 26683000
>>> Fax: +91 20 26681030
>>> ************************************************************
>>> -----------------------------------------
>>> ******************************************************************* This
>>> e-mail is confidential. It may also be legally privileged. If you are not
>>> the addressee you may not copy, forward, disclose or use any part of it. If
>>> you have received this message in error, please delete it and all copies
>>> from your system and notify the sender immediately by return e-mail.
>>> Internet communications cannot be guaranteed to be timely, secure, error or
>>> virus-free. The sender does not accept liability for any errors or
>>> omissions.
>>> ******************************************************************* "SAVE
>>> PAPER - THINK BEFORE YOU PRINT!"
>>>
>>>
>>>
>>>
>>>
>>>
>>> MASTEK LTD.
>>> In the US, we're called MAJESCOMASTEK
>>>
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> Opinions expressed in this e-mail are those of the individual and not
>>> that of Mastek Limited, unless specifically indicated to that effect. Mastek
>>> Limited does not accept any responsibility or liability for it. This e-mail
>>> and attachments (if any) transmitted with it are confidential and/or
>>> privileged and solely for the use of the intended person or entity to which
>>> it is addressed. Any review, re-transmission, dissemination or other use of
>>> or taking of any action in reliance upon this information by persons or
>>> entities other than the intended recipient is prohibited. This e-mail and
>>> its attachments have been scanned for the presence of computer viruses. It
>>> is the responsibility of the recipient to run the virus check on e-mails and
>>> attachments before opening them. If you have received this e-mail in error,
>>> kindly delete this e-mail from desktop and server.
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>> ------------------------------
>>>
>>>  *******************************************************************
>>> This message originated from the Internet. Its originator may or may not
>>> be who
>>> they claim to be and the information contained in the message and any
>>> attachments may or may not be accurate.
>>> *******************************************************************
>>>
>>>
>>>
>>> ************************************************************
>>> HSBC Software Development (India) Pvt Ltd
>>> HSBC Center Riverside,West Avenue ,
>>> 25 B Kalyani Nagar Pune  411 006 INDIA
>>>
>>> Telephone: +91 20 26683000
>>> Fax: +91 20 26681030
>>> ************************************************************
>>> -----------------------------------------
>>> ******************************************************************* This
>>> e-mail is confidential. It may also be legally privileged. If you are not
>>> the addressee you may not copy, forward, disclose or use any part of it. If
>>> you have received this message in error, please delete it and all copies
>>> from your system and notify the sender immediately by return e-mail.
>>> Internet communications cannot be guaranteed to be timely, secure, error or
>>> virus-free. The sender does not accept liability for any errors or
>>> omissions.
>>> ******************************************************************* "SAVE
>>> PAPER - THINK BEFORE YOU PRINT!"
>>>
>>>
>>> _______________________________________________
>>> Owasp-delhi mailing list
>>> Owasp-delhi at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>>
>>>
>>
>>
>> --
>> Thanks & Regards
>>
>> Robin Tiwari
>> Security Anlayst
>>
>>
>>
>>
>> --
>> Thanks & Regards
>>
>> Robin Tiwari
>> Security Anlayst
>>
>>
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>
>
> --
> Thanks and Regards
>
> Ronnie Johndas
> Application Security Analyst
> Honeywell Tech Solutions Lab
> Bangalore
>
> Blog:
> http://appsecbyre.blogspot.com/
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100819/e29a9854/attachment.html 


More information about the Owasp-delhi mailing list