Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
application security
Posted by: ceezax
Date: January 28, 2008 06:11AM

hi there

i have an online web application that do e-trade , you just have to enter the username and the password and it's start to authenticate the user

my question is how to intercept this authentication process ?? i need to know which authentication type it use ,

in other way i need a proxy for interception the authentication process

but for sure i can't use burp the suite or paros as they are just configured to intercept anything that goes through the browser and not to intercept what goes through the application

so how can i realize which authentication type it use?? how can i intercept this process?

Options: ReplyQuote
Re: application security
Posted by: ceezax
Date: January 28, 2008 06:19AM

another question

can any one tell me what is this hash type ??

F0086D553791CFA6AFAD535099E72BC5B02D9552

Options: ReplyQuote
Re: application security
Posted by: Anonymous User
Date: January 28, 2008 06:44AM

Looks like SHA1

Options: ReplyQuote
Re: application security
Posted by: ceezax
Date: January 28, 2008 10:04AM

i need a reply for my 1st question

Options: ReplyQuote
Re: application security
Posted by: thrill
Date: January 28, 2008 11:46AM

Quote

i need a reply for my 1st question

Pushy little fucker aren't you? Have you tried a sniffer?

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: application security
Posted by: ceezax
Date: January 28, 2008 01:46PM

sure i did mr genius

all was encrypted

Options: ReplyQuote
Re: application security
Posted by: thrill
Date: January 28, 2008 03:00PM

And the fact that it was encrypted didn't give you the hint that the client/server communication may be encrypted using SSL, and then whatever authentication method is used to authenticate the user runs on top of this SSL channel?

You remind me of this joke

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: application security
Posted by: donwalrus
Date: January 28, 2008 05:50PM

thrill,

love the joke...reminds me of a lot of people on a lot of different forums :-)

I may be dumb, but I'm slow...

Options: ReplyQuote
Re: application security
Posted by: Anonymous User
Date: January 29, 2008 12:57AM

can i haz more nfo plz?

seriously, is it on https:// or plain http:// ?

Options: ReplyQuote
Re: application security
Posted by: ceezax
Date: January 29, 2008 03:21AM

seems that all here (thrill) just consider himself the master :S

look thrill if u just focused , i told you that it's application and not an authentication done using browser , so i done man in the middle attack and if there is ssl used i think this was about to import me the certificate which wasn't there

huh ?? have u any tricks mr genius ???

i need to know what authentication type runs when this software authenticate with the server ??

Options: ReplyQuote
Re: application security
Posted by: Anonymous User
Date: January 29, 2008 08:58AM

@ceezax:

No idea and I think even Google can't help you with yer most essential problems, huh??

http://www.google.de/search?q=%22communicating+for+dummies%22

Options: ReplyQuote
Re: application security
Posted by: Anonymous User
Date: January 29, 2008 10:16AM

master?

Master of the universe to u, so much for this thread. :)

Options: ReplyQuote
Re: application security
Posted by: thrill
Date: January 29, 2008 11:38AM

Actually, when it comes to webapp security I don't even think I qualify as a beginner. However, when I have a problem I cannot figure out, I don't just start demanding answers to my questions. And while I understand the customs might be different out there in Egypt, maybe it's about time someone introduced you to a saying we have here in the Western world: "You get more bees with honey than you do with vinegar".

I did read your post, and you said "i have an online web application that do e-trade " but then you said "intercept anything that goes through the browser and not to intercept what goes through the application".

Now this so called "application" which first you state runs through the browser and then you say it doesn't, could be running as a Java applet, calling some sort of DirectX module, or who knows, maybe it's running a DOS batch file in the background. You haven't specified WHAT it is, but yet you seem to think that we, as Masters, know exactly what you are talking about.

And yes, when you use language like " i need a reply for my 1st question" definitely makes you sound as if your demanding an answer rather than requesting one.

There are some incredibly smart people on these forums, but even they do not possess a crystal ball that will tell them exactly what it is that you are running, what type of encryption it runs, or what the next winning numbers for the lottery are. So if you have a question, try asking it as such. And try requesting help rather than saying you NEED it, because we all NEED 10 million dollars but you seem unable to help us out in that end.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: application security
Date: January 30, 2008 09:27AM

10 pts for thrill
0 pts for ceezax

Whenever someone asks me something and they are rude, or just don't know how to look up the info themselves when in most cases they can. I just send them here. http://fuckinggoogleit.com/ problem solved =o)

Options: ReplyQuote


Sorry, only registered users may post in this forum.