Trapping HTTP Requests and Responses with Python

In my last post I showed my own implementation of n HTTPS Man-in-the-middle proxy written from scratch in Python. I’ve spent great deal of time to make the proxy as programmer-friendly as possible. In this post I am planning to show how you can use the code to write your own proxies in the spirit of Burp, Paros, WebScarab, RatProxy, etc.

Why is this interesting? Well, it is interesting to Python developers/hackers only. [...]

more | comments | comments rss | posted by

Python SSL Mitm Proxy and More

Lately I’ve been busy with putting together a python module which allows me to create man-in-the-middle (MITM) HTTP Proxies with a programmer-friendly extension interface and support for SSL. This kind of proxies can be used for many things ranging from creating your own tampering proxies to hijacking network traffic via a transparent proxy connection.

I am quite pleased with the end result! [...]

more | comments | comments rss | posted by

Identity Theft Attacks

Work with the system rather against it. I have always been a big fan of this approach as it proved to be successful every time it was put into practice.

So you receive one of these phone calls. The girl on the other end presents herself as Jessica Smith. The company has to do something with financing. The conversation goes as usual. [...]

more | comments | comments rss | posted by

Submit Your Top Web Hacking Techniques for 2008

Jeremiah is calling all security researchers and hobbyists to submit their favorite Web hacking techniques released during 2008. There are some nice perks too. I say Sure!.

Although I don’t like the fact that there are judges appointed to select which one is the best one. Where did the democracy go? With all the vastly expressive, social technologies that we have today, we are still stuck with juries.

In a similar fashion, The Pwnie Awards lacks any reality, imho. [...]

more | comments | comments rss | posted by

Twitter’s Security is so Poor

…and there are a lot of privacy concerns too.

IMHO, the way the Twitter folks designed their system, is totally wrong. The one and only major concern is that 3rd-part software is allowed to communicate with Twitter’s API by using the user’s login credentials. This is a bit insane as you can imagine. Why would you want to share your username and password with someone you certainly don’t trust? [...]

more | comments | comments rss | posted by

Deep Inspection of Online Personas

I found myself a new online toy. It is called Pipl and it is all about finding people online. Obviously, the concept behind the tool is not new. There are other tools that does the same, but this one is incredible accurate and verbose. It is a must toy in the arsenal of any serious penetration tester/attacker.

Of course, I went ahead and looked up several people I know and various security researchers, etc. [...]

more | comments | comments rss | posted by

Happy New 2009

2008 is gone! Let’s welcome the brand new 2009. Happy New Year!

The GNUCITIZEN team wishes everybody a happy new year full of happiness and laughter. To all the security community we wish a successful and productive new 2009.

more | comments | comments rss | posted by

Thoughts on the Certificate Authority Attack presented at CCC

It turns out that the group of international researchers have created their own legitimate CA (Certificate Authority) which can be used to sign any other cert they want and as such increase the likelihood of success when performing SSL man-in-the-middle types of attacks.

It is pointless to explain how the attack works. Go over the presentation slides or get the video/audio. What I would like to do is to present some of my thoughts regarding the attack and its impact. [...]

more | comments | comments rss | posted by

Hijacking Innocent Frames

Magic tricks are all about suggestion, psychology, misdirection and showmanship (see Tricks of the Mind), or as Cutter perhaps will say, every magic trick has tree parts: the pledge (where the magician shows you something ordinary), the turn (where the ordinary becomes something extraordinary), and the prestige (where the extraordinary turns into something you have never seen before). [...]

more | comments | comments rss | posted by

Firefox Malware

You may have already heard of this, but there is a malware which goes around disguised as a Firefox extension. I have no details regarding the malicious code but to be honest, I am not surprised at all. In fact, I wonder why it took so long for the bad guys to figure that Firefox is an excellent malware delivery platform. Usually they are quicker.

A couple of months back, just before my BlackHat talk, I was planning to launch yet another of my experiments. [...]

more | comments | comments rss | posted by