IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [http-proxy]

138 questions
6
votes
1 answer

Working of SSH connection through Proxy

I have to configure my web browser's proxy to 172.18.10.1:3128 every time I want to connect to internet from my college. Since I'm configuring a web browser's proxy, I believe that the proxy is a "HTTP Proxy" and the proxy server is able to accept…
7_R3X
  • 606
  • 3
  • 12
  • 25
6
votes
1 answer

How do Lync and SSL inspection play together?

Whitelisting all Lync hostnames is cumbersome. Globally deactivating SSL inspection is undesirable. At a place I work for, they have SSL-inspection enabled on their proxy. All traffic to the Internet has to go via this proxy server. Most of the…
Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46
5
votes
4 answers

Fiddler show external requests but not initiated by any legitimate process

While debugging my web application in Fiddler, I found out that there are some suspicious requests to some hotel sites, search requests to google.pl. etc. See below images. Strangely there no process displayed in Fiddler. It's definitely a virus.…
Kiran Ambati
  • 161
  • 1
  • 1
  • 4
5
votes
4 answers

Why is this response splitting attack not working?

I'm working through OWASP's "WebGoat" (version 5.4) vulnerable web application, but I'm getting stuck on one of the earliest lessons which is to do with HTTP response splitting. I've looked in all the hints and the solution (and even at all the…
Grezzo
  • 632
  • 1
  • 6
  • 12
5
votes
3 answers

Burpsuite 1.5 initiating TLS Connection on their IP to Port 443. What is it?

I recently started using a security tool (Burpsuite 1.5) which has a free licence and a professional one. Upon downloading the free one from its vendor web-site (I am using BackTrack), I noticed within my Wireshark that every time I launch the tool,…
Lex
  • 4,247
  • 4
  • 19
  • 27
5
votes
3 answers

Does GOOD Dynamics Proxy comply with EU data legislation?

My client is excited about GOOD technology; it allows them to have controlled access to business applications & email from BYOD (bring your own devices) and will enable a more mobile workforce. Another department within the company has installed…
RDS
  • 51
  • 1
5
votes
3 answers

Is a company website secure against sslstrip if it doesn't use ssl on homepage but ssl everywhere else?

Most ecommerce websites use SSL/TLS when you want to log. But most have homepage using http only. Is it enough to have SSL/TLS on login page and logged page to prevent sslstrip ?
user310291
  • 1,413
  • 2
  • 12
  • 13
5
votes
1 answer

Can I use CloudFlare if I want to avoid NSA and FISA secret orders?

We're running a web service in Europe, secured with TLS and we're using private keys generated on our private hardware. We would like to use CloudFlare for DDoS protection and caching reverse proxy. However, putting my tinfoil hat on, I'm wondering…
Mikko Rantalainen
  • 513
  • 2
  • 11
5
votes
1 answer

Disable or bypass SSL Pinning/Certificate Pinning on Android 6.0.1

Previously I have been able to bypass SSL Pinning by using the program JustTrustMe with the Xposed framework for nearly every app. https://github.com/Fuzion24/JustTrustMe However it has started to fail on more and more apps recently. The more I…
Ogglas
  • 677
  • 4
  • 12
  • 26
5
votes
3 answers

Reverse Proxy + WAF

AS part of network design, I am implementing a HTTP Reverse proxy as well as a WAF. The HTTP Proxy, I am thinking about terminating SSL, on either the outer firewall - so the WAF can insect the layer 7 traffic. Outer Firewall --> WAF --> HTTP Proxy…
user3853149
  • 71
  • 1
  • 4
4
votes
1 answer

Metasploit reverse_http(s) PAYLOAD for linux target

During exploitation via metasploit's browzer_autopwn, I need to set a payload using http or https channel on a linux target. But there is no reverse_http(s) available in linux payload category. What can I use as payload for reverse http / https…
Kartoch
  • 219
  • 1
  • 6
4
votes
4 answers

Intercepting AJAX request and response using BURP

I would like to intercept an AJAX request using BURP. I have used BURP for web applications testing before. This, however, appears to be a weird case. I am not certain what am I missing here. The situation is: I have a web page, lets say:…
qre0ct
  • 1,492
  • 3
  • 19
  • 30
4
votes
2 answers

Long character sequence in first string of HTTP GET request breaks the web service's HTTP response. Buffer overflow?

During my current security audit test I've stumbled on something I can't possibly comprehend. The behavior exhibits signs of a buffer overflow in the target or in some intermidiate service (HTTP proxy/IDE/IPS/firewall), but I haven't been able to…
tis
  • 275
  • 2
  • 9
4
votes
2 answers

Now that CloudFlare offers potentially-insecure free SSL to all users, would a new HTTP header be useful?

I'm not sure where to post this, so I figured I'd just post it here. CloudFlare is now offering free SSL to all sites. There are two different types of SSL connections, however. There's "Flexible SSL" which runs HTTPS on the Client <=> CloudFlare…
Dr. McKay
  • 167
  • 1
  • 4
4
votes
1 answer

Intercept traffic other than port 80 and 443 on burp suite

I am trying to intercept traffic on port 8000. For example my application is running on abc.com:8000. I am unable to intercept this traffic on burp suite. How can I intercept this traffic in Burp?
Airbourne
  • 271
  • 2
  • 7
  • 17
1
2
3
9 10