WAMPT 2: PST SEC542 & SEC642 & SEC575 ( 1 · WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino...
Transcript of WAMPT 2: PST SEC542 & SEC642 & SEC575 ( 1 · WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino...
WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino Security SL - Raul Siles: [email protected]) 1
WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino Security SL - Raul Siles: [email protected]) 2
Notes: Proxy Tools• Burp Suite
o [1] HTTP/2 support: https://support.portswigger.net/customer/portal/questions/11690301-http2-supporto [8] WebSocket suport: Proxy interception and modification. WebSocket message replay and scanner are not supported.
• OWASP ZAPo [7] ZAP has been changed to support TLS 1.3, once Java supports it (Java 11? http://openjdk.java.net/jeps/332).
§ https://www.java.com/en/jre-jdk-cryptoroadmap.html
o [9] WebSocket Active Scan support: https://manosmagnus.github.io§ https://groups.google.com/forum/#!msg/zaproxy-develop/kAUD7XbIetQ/1OdbdRnKAwAJ
• mitmproxyo [2] Protocol support: (HTTP/2 & WebSocket) https://docs.mitmproxy.org/stable/concepts-protocols/
§ https://github.com/mitmproxy/mitmproxy/pull/883
• Charles Proxyo [3] HTTP/2 (v4.0+) & WebSocket (v3.11+): https://www.charlesproxy.com/documentation/version-history/
• Fiddlero [4] HTTP/2 support: https://fiddler.ideas.aha.io/ideas/FID-I-302
§ https://visualstudio.uservoice.com/forums/121579-visual-studio/suggestions/6264363-add-support-for-alpn-to-system-net-security-sslstr
WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino Security SL - Raul Siles: [email protected]) 3
Notes: Other Tools• Wireshark
o HTTP/2: https://wiki.wireshark.org/HTTP2
o WebSocket: https://wiki.wireshark.org/WebSocket
o QUIC: https://www.wireshark.org/docs/dfref/q/quic.html
o WebRTC: https://webrtc.org/testing/wireshark/
o TLS 1.3: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779
• Curl:
o HTTP/2: https://curl.haxx.se/docs/http2.html
o [5] WebSocket: https://gist.github.com/htp/fbce19069187ec1cc486b594104f01d0
o [6] QUIC: https://github.com/curl/curl/wiki/QUIC
o TLS 1.3: https://daniel.haxx.se/blog/2018/03/27/play-tls-1-3-with-curl/
WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino Security SL - Raul Siles: [email protected]) 4
Notes: Tools for Specific Protocols• HTTP/2
o nghttp2: https://nghttp2.org/documentation/nghttpx-howto.html (https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/testing-http2-only-web-services/)
o h2c: https://github.com/fstab/h2c
o h2i: https://github.com/bradfitz/http2/tree/master/h2i
o HTTPie: https://httpie.org & https://github.com/jakubroztocil/httpie (httpie-http2: https://github.com/httpie/httpie-http2)
• WebSocket
o wscat: https://github.com/websockets/wscat
o WebSocket fuzzer: https://github.com/andresriancho/websocket-fuzzer
• QUIC
o Caddy Proxy: https://github.com/dockhero/caddy-proxy (https://github.com/mholt/caddy - https://caddyserver.com)
o quic-proxy: https://github.com/jeffyang28/quic-proxy
• TLS 1.3
o Draft 28: https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/