|
Posted by royend on October 27, 2007, 6:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
wrote:
> royend wrote:
> > I am doing some research for a school project on authentication at the
> > web and the risk for identity theft. How can unauthorized users misuse
> > your identity and get access to classified information.
>
> > For my research I have tried some programs which stops the TCP-package
> > with headers like HTTP/1.0 and infomation about data submitted by a
> > form e.g. password and username.
>
> > I have tried two web scanners:
> > 1. Burpsuite
> > which I managed to intercept packeges for HTTP 1.0 and hence was able
> > to read inserted username and password in plaintext. Still it wasn't
> > able to stop SSL-traffic, although it should be able to when turning
> > the "Use SSL"-parameter on.
> > 2. Nikto
> > which is supposed to be a great listener/scanner, but I have not been
> > able to make it work.
>
> > Is there any programs you would recommend which will handle SSL/TLS?
> > Would for instance a program like Ethereal be able to read packages
> > using SSL protocols?
>
> > Looking forward to your help.
>
> you want to decipher encrypted connections into plaintext ?
> if that's the case ... bugger off- Skjul sitert tekst -
>
> - Vis sitert tekst -
Wow...
not the kind of reply I was hoping for.
And no, I don't need a deciphering tool. What I want is a tool which
may scan for packages sent via SSL/TLS, like Burpsuite does with
HTTP1.0. This tool lets me read the headers (also possible to alter
them before sending them to server, but for my purpose it is only
necessary to read). Also, the project focuses on the vulnerability of
the web, and I am hoping to shove that even though SSL is implemented
the packages might be vulnerable to a Man-In-The-Middle-Attack (please
correct me if I am wrong), as the packages might be intercepted by an
attacker.
Any advice is appreciated for a tool which might help me prove it.
| 
XML site map