[Owasp-delhi] Fwd: Thick client security testing

ronnie johndas ronnie.johndas at gmail.com
Thu Aug 19 04:27:43 EDT 2010


Hi Kishore,

thanks for this very usefull tip, it does work!! but strange they don;t
allow this kind of edition when we type directly into the window, it simply
replaces it. And i never thought of doing a ctrl-V :).

I always thought why they have implemented such a functionality, because api
hooking does allow control over the buffer as well.


On Thu, Aug 19, 2010 at 8:59 AM, kishore kumar <mindsec at gmail.com> wrote:

> Hi,
>
> Using Echo Mirage one can send data more than the assigned buffer.
> When Echo Mirage intercepts data, suppose say there is a parameter 'a'.
> Normally we can change it to only 1 byte data like say 'b' , '1' etc.
> Instead of doing this, if you want to send more data than the assigned
> buffer,
> I want to try injections in the parameter 'a'
> Eg:  ' or 1=1--
>
> so one can copy this from notepad or anywhere and go to Echo mirage
> interceptor and select the parameter in this case 'a' and say ctrl+v. Echo
> mirage ask you to select the data format, select Text the first option and
> say OK. Now 'a' will be replaced with '' or 1=1--' .
>
> Try this and out and correct me if i am wrong.
>
>
> On Wed, Aug 18, 2010 at 4:22 PM, ronnie johndas <ronnie.johndas at gmail.com>wrote:
>
>> Hi Robin,
>>
>> These are some of the problem with the tool:
>>
>> 1. Multithread communication : many thread sending data, makes it
>> impossible to find the packet to edit,
>> there maybe one thread that works like a poller if a timeout occurs on
>> that thread because u are busy editing value in packet sent from some other
>> thread it halts the process.
>>
>> 2. U can only change values in the assigned buffer, if the intercepted
>> data is 10 bytes u can't make it send 11 bytes.
>>
>> 3. Uses API hooking, because of that is very crash prone.
>> the best and reliable way is to put break points using a debugger on
>> (ws2_32.dll) open and recieve functions and edit the values before it sends,
>> using a debugger all the three above problems gets solved. Gives u leg space
>> to inject ur data.
>>
>> Ollydbg,pydbg,immunity is a good debugger, u can write scipts in them to
>> automate what ever ur trying.
>>
>>  On Tue, Aug 17, 2010 at 6:09 PM, Robin Tiwari <tiwari.robin at gmail.com>wrote:
>>
>>>
>>>
>>>
>>> Dear Padma;
>>>
>>> For the exe client , the echo mirage tool is best to intercept the data
>>> from client to server. May i know what is issue with this tool with you ?
>>>
>>>
>>>
>>>
>>>
>>>   On Tue, Aug 17, 2010 at 12:40 PM, <padmasriramiyer at hsbc.co.in> wrote:
>>>
>>>>
>>>> Firstly thanks All for the quick responses.
>>>>
>>>> I tried Echo Mirage, wireshark and ITR, but scope became very limited. I
>>>> would definitely try out the other options suggested.
>>>>
>>>> I found another tool JavaSnoop, but i think we can only snoop a jar
>>>> file. My app is an exe client. Has anybody worked on it? Any suggestions
>>>> about it?
>>>>
>>>>
>>>> Best regards,
>>>> *Padma Sriram Iyer*
>>>> Senior Security Analyst
>>>> GLT Information Security Risk
>>>> HSBC Technology and Services - Global Technology
>>>> _______________________________________________________________________
>>>>
>>>> Phone.     91 20 6642 2285
>>>> Tieline.     71 91 20 2285
>>>> Email.       *padmasriramiyer at hsbc.co.in* <padmasriramiyer at hsbc.co.in>
>>>> _______________________________________________________________________
>>>>
>>>>
>>>>   From: Dharmesh M Mehta <Dharmesh.Mehta at mastek.com>  To: Padma Sriram
>>>> IYER/ITD GLT/HSDI/HSBC at HSBC03, "owasp-delhi at lists.owasp.org" <
>>>> owasp-delhi at lists.owasp.org>  Date: 17/08/10 04:47 PM  Subject: RE:
>>>> [Owasp-delhi] Thick client security testing
>>>> ------------------------------
>>>>
>>>>
>>>>
>>>> Hi Padma,
>>>>
>>>> I have personally found Echo Mirage tool useful for security testing of
>>>> a thick client application.
>>>> Like a proxy tool for testing web application, Echo Mirage can be used
>>>> to intercept and modify the request from the client to the server and
>>>> perform most of your validation related attacks.
>>>>
>>>>
>>>> Thanks & Regards,
>>>>
>>>> Dharmesh Mehta, CISSP
>>>> Security Specialist - Technology Engineering & Consulting Group
>>>> Mastek Ltd | MNDC, MBP Mahape, Navi Mumbai, India | (T) 91 22 6791 4646
>>>> Extn - 5469 | Mobile: 91 9730002132
>>>> *http://smartsecurity.blogspot.com*<http://smartsecurity.blogspot.com/>
>>>>
>>>> *From:* owasp-delhi-bounces at lists.owasp.org [
>>>> mailto:owasp-delhi-bounces at lists.owasp.org<owasp-delhi-bounces at lists.owasp.org>]
>>>> *On Behalf Of *padmasriramiyer at hsbc.co.in*
>>>> Sent:* Tuesday, August 17, 2010 10:11 AM*
>>>> To:* owasp-delhi at lists.owasp.org; owasp-delhi-bounces at lists.owasp.org*
>>>> Subject:* [Owasp-delhi] Thick client security testing
>>>>
>>>>
>>>> Hi guys,
>>>>
>>>> Can anyone please guide me how to proceed with security testing of Java
>>>> application i.e. a thick client?
>>>>
>>>>
>>>> Best regards, *
>>>> Padma Sriram Iyer*
>>>> Senior Security Analyst
>>>> GLT Information Security Risk
>>>> HSBC Technology and Services - Global Technology
>>>> _______________________________________________________________________
>>>>
>>>> Phone.     91 20 6642 2285
>>>> Tieline.     71 91 20 2285
>>>> Email.       *padmasriramiyer at hsbc.co.in* <padmasriramiyer at hsbc.co.in>
>>>> _______________________________________________________________________
>>>>
>>>> ************************************************************
>>>> HSBC Software Development (India) Pvt Ltd
>>>> HSBC Center Riverside,West Avenue ,
>>>> 25 B Kalyani Nagar Pune  411 006 INDIA
>>>>
>>>> Telephone: +91 20 26683000
>>>> Fax: +91 20 26681030
>>>> ************************************************************
>>>> -----------------------------------------
>>>> ******************************************************************* This
>>>> e-mail is confidential. It may also be legally privileged. If you are not
>>>> the addressee you may not copy, forward, disclose or use any part of it. If
>>>> you have received this message in error, please delete it and all copies
>>>> from your system and notify the sender immediately by return e-mail.
>>>> Internet communications cannot be guaranteed to be timely, secure, error or
>>>> virus-free. The sender does not accept liability for any errors or
>>>> omissions.
>>>> ******************************************************************* "SAVE
>>>> PAPER - THINK BEFORE YOU PRINT!"
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> MASTEK LTD.
>>>> In the US, we're called MAJESCOMASTEK
>>>>
>>>>
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> Opinions expressed in this e-mail are those of the individual and not
>>>> that of Mastek Limited, unless specifically indicated to that effect. Mastek
>>>> Limited does not accept any responsibility or liability for it. This e-mail
>>>> and attachments (if any) transmitted with it are confidential and/or
>>>> privileged and solely for the use of the intended person or entity to which
>>>> it is addressed. Any review, re-transmission, dissemination or other use of
>>>> or taking of any action in reliance upon this information by persons or
>>>> entities other than the intended recipient is prohibited. This e-mail and
>>>> its attachments have been scanned for the presence of computer viruses. It
>>>> is the responsibility of the recipient to run the virus check on e-mails and
>>>> attachments before opening them. If you have received this e-mail in error,
>>>> kindly delete this e-mail from desktop and server.
>>>>
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>
>>>> ------------------------------
>>>>
>>>>  *******************************************************************
>>>> This message originated from the Internet. Its originator may or may not
>>>> be who
>>>> they claim to be and the information contained in the message and any
>>>> attachments may or may not be accurate.
>>>> *******************************************************************
>>>>
>>>>
>>>>
>>>> ************************************************************
>>>> HSBC Software Development (India) Pvt Ltd
>>>> HSBC Center Riverside,West Avenue ,
>>>> 25 B Kalyani Nagar Pune  411 006 INDIA
>>>>
>>>> Telephone: +91 20 26683000
>>>> Fax: +91 20 26681030
>>>> ************************************************************
>>>> -----------------------------------------
>>>> ******************************************************************* This
>>>> e-mail is confidential. It may also be legally privileged. If you are not
>>>> the addressee you may not copy, forward, disclose or use any part of it. If
>>>> you have received this message in error, please delete it and all copies
>>>> from your system and notify the sender immediately by return e-mail.
>>>> Internet communications cannot be guaranteed to be timely, secure, error or
>>>> virus-free. The sender does not accept liability for any errors or
>>>> omissions.
>>>> ******************************************************************* "SAVE
>>>> PAPER - THINK BEFORE YOU PRINT!"
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-delhi mailing list
>>>> Owasp-delhi at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks & Regards
>>>
>>> Robin Tiwari
>>> Security Anlayst
>>>
>>>
>>>
>>>
>>> --
>>> Thanks & Regards
>>>
>>> Robin Tiwari
>>> Security Anlayst
>>>
>>>
>>> _______________________________________________
>>> Owasp-delhi mailing list
>>> Owasp-delhi at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>>
>>>
>>
>>
>> --
>>  Thanks and Regards
>>
>> Ronnie Johndas
>> Application Security Analyst
>> Honeywell Tech Solutions Lab
>> Bangalore
>>
>> Blog:
>> http://appsecbyre.blogspot.com/
>>
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>


-- 
Thanks and Regards

Ronnie Johndas
Application Security Analyst
Honeywell Tech Solutions Lab
Bangalore

Blog:
http://appsecbyre.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100819/598859f9/attachment-0001.html 


More information about the Owasp-delhi mailing list