WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino Security SL - Raul Siles: raul@dinosec.com) 1

WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino Security SL - Raul Siles: raul@dinosec.com) 2

Notes: Proxy Tools• Burp Suite

o [1] HTTP/2 support: https://support.portswigger.net/customer/portal/questions/11690301-http2-supporto [8] WebSocket suport: Proxy interception and modification. WebSocket message replay and scanner are not supported.

• OWASP ZAPo [7] ZAP has been changed to support TLS 1.3, once Java supports it (Java 11? http://openjdk.java.net/jeps/332).

§ https://www.java.com/en/jre-jdk-cryptoroadmap.html

o [9] WebSocket Active Scan support: https://manosmagnus.github.io§ https://groups.google.com/forum/#!msg/zaproxy-develop/kAUD7XbIetQ/1OdbdRnKAwAJ

• mitmproxyo [2] Protocol support: (HTTP/2 & WebSocket) https://docs.mitmproxy.org/stable/concepts-protocols/

§ https://github.com/mitmproxy/mitmproxy/pull/883

• Charles Proxyo [3] HTTP/2 (v4.0+) & WebSocket (v3.11+): https://www.charlesproxy.com/documentation/version-history/

• Fiddlero [4] HTTP/2 support: https://fiddler.ideas.aha.io/ideas/FID-I-302

§ https://visualstudio.uservoice.com/forums/121579-visual-studio/suggestions/6264363-add-support-for-alpn-to-system-net-security-sslstr

WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino Security SL - Raul Siles: raul@dinosec.com) 3

Notes: Other Tools• Wireshark

o HTTP/2: https://wiki.wireshark.org/HTTP2

o WebSocket: https://wiki.wireshark.org/WebSocket

o QUIC: https://www.wireshark.org/docs/dfref/q/quic.html

o WebRTC: https://webrtc.org/testing/wireshark/

o TLS 1.3: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779

• Curl:

o HTTP/2: https://curl.haxx.se/docs/http2.html

o [5] WebSocket: https://gist.github.com/htp/fbce19069187ec1cc486b594104f01d0

o [6] QUIC: https://github.com/curl/curl/wiki/QUIC

o TLS 1.3: https://daniel.haxx.se/blog/2018/03/27/play-tls-1-3-with-curl/

WAMPT2: PST SEC542 & SEC642 & SEC575 (2018 © Dino Security SL - Raul Siles: raul@dinosec.com) 4

Notes: Tools for Specific Protocols• HTTP/2

o nghttp2: https://nghttp2.org/documentation/nghttpx-howto.html (https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/testing-http2-only-web-services/)

o h2c: https://github.com/fstab/h2c

o h2i: https://github.com/bradfitz/http2/tree/master/h2i

o HTTPie: https://httpie.org & https://github.com/jakubroztocil/httpie (httpie-http2: https://github.com/httpie/httpie-http2)

• WebSocket

o wscat: https://github.com/websockets/wscat

o WebSocket fuzzer: https://github.com/andresriancho/websocket-fuzzer

• QUIC

o Caddy Proxy: https://github.com/dockhero/caddy-proxy (https://github.com/mholt/caddy - https://caddyserver.com)

o quic-proxy: https://github.com/jeffyang28/quic-proxy

• TLS 1.3

o Draft 28: https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/