![5-Pack Premium Reusable LCD Screen Protector with Lint Cleaning Cloth for Apple iPhone 3G 8GB 16GB [Accessory Export Packaging]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sTsFtr_Kqb6HVGFYp-9_PQB-NWsJbzNiyyeH6VXFsp2C0nArDoJfzv0WanD75aixUx0IW1ZQJDi6PWMesNxK2YB5V-yXk1tyTooB7EW8m064oVRYtjIUa4albaxOFDRRD6EnEgB7z-BbHEIwFPQo2BnVyV3UXxKoXZJViXYc3zG8R6xRixMigoFJONsNv09I5z_gkos2S1i6WL9mGea8fnTBz-ujM8TxHu-A=s0-d)
An HTTP proxy server serves as a middle man between a web server and a web client(browser). It intercepts and logs all connections between them and in some cases can
manipulate that data request to test how the server will respond. This can be useful for testing
applications for various cross-site scripting attacks (provide reference link here), SQL Injection
attacks and any other direct request style attack. A proxy testing utility (SpikeProxy, WebProxy,
etc), will assist with most of these tests for you. While some have an automation feature, you
will quickly learn that it is actually a weak substitute for a real person behind the wheel of such
tools.
Exercise 1: Choose your software
1. Download a proxy utility
2. Install the software according to the README file
3. Change your browser setting to point to the new proxy
• This is usually port 8080 on localhost for these tools but read the
instructions to be sure.
 |
| Proxy Server |
Once the proxy server is installed and your browser is pointed at it, surf around the site your
testing. Remember, be sure to use a website that you have permission to test. Once you have
surfed around, point your browser to the proxy's admin page (for SpikeProxy, it
http://www.immunitysec.com/resources-freesoftware.shtml) and begin testing the site. From
the admin interface you can have the tool brute force the site's authentication methods or
test for cross-site scripting. (Actually, we recommend using Mozilla or Firefox and
http://livehttpheaders.mozdev.org/ and http://addneditcookies.mozdev.org/ together to
modify headers and cookies on the fly without the need for a seperate proxy port. Not only
does it really simplify things, it's a much more powerful tool set as we teach it in ISECOM's
OSSTMM Professional Security Tester class (OPST). But since you will need to know about
setting up proxies for other things, like ad and spam filters, privacy filters, etc. We thought you
should actually set one up for real and Spike is a good one to try.)
A proxy server can be a powerful tool in helping you determine how solid a web application
is. For penetration tests or vulnerability assessments, you must have a good proxy tool in your
toolbox. There are detailed tutorials available on using SpikeProxy at
http://www.immunitysec.com/resources-papers.shtml.
Protecting your server
There are several steps that can be taken to protecting your server. These include ensuring
that your software is always updated and patched with any security updates that are
available from the manufacturer. This includes ensuring that your OS and web servers are
updates as well. In addition, Firewalls and Intrusion detections systems can help protect your
server more.
No comments:
Post a Comment