Hello,

I work as a software tester I want to use a product called webproxy
2.1, a proxy server software that used to be made by a company called
@stake--now owned by symantec.

I want to be able to intercept a page, then submit a page with an
option that doesn't exist on the page and see if I can get the
application to give me data that I am not authorized to see.



When I test the application normally (without the web proxy)

The application has an https address: https://XXXtest.company_name.com

I am redirected to: https://XXXtest.companyname.com/cleartrust/ct_logon_en.html

where I get an LDAP log in screen. After I put in my user name and
password, I am redirected to the splash screen for the application at:

https://XXXtest.company_name.com/xxx/splash.do



I've been able to install the application, change my LAN settings in
IE to use a proxy connection, and I've changed the proxy settings to
be:

127.0.0.1 with a port of 5111 for http and
127.0.0.1 with a port of 5112 for https

and I can then browse the internet through the web proxy software.

However (after I start the webproxy application) and try to connect to
the https://XXXtest.company_name.com site, I get a page not found
message.

In terms of setup, I have installed the web proxy certificate
authority cert, as outlined in the readme information (see below).

I think the issue may be due to the fact that my company requires each
authorized user to obtain a digital cert from the company's server
before we can access the https address. That cert is installed on my
machine.
 

I've done a netstat -a command to see what ports are open on my
machine and it displayed the following entry when I have the https
connection open:

Proto	Local Address			Foreign Address				State
TCP	my_last_name1:3895		xx.xx.xx.xx:httpS			Established

When I connect via internet explorer to http://xx.xx.xx.xx, I receive
a security prompt that indicates:

"The web site you want to view requests identification. Please choose
a certificate."

Below that I have a cert shown with my name on it. When I click on
View Certificate, I see that the cert was issued to me and that "I
have a private key that corresponds to this certificate".

When I click OK, I am forwarded to a different application that uses
SSL and a password/login screen.


My company has annoying policies about not installing software unless
they bought it, reviewed it, etc, so I can't contact my company's help
desk for support.

Below is the read me file for the web application.

I have tried allowing it to ignore cert errors, but no luck

What should I try next?






Introduction 
@stake WebProxy is a tool for testing web applications from a browser.
It installs as an HTTP/HTTPS proxy, and allows monitoring and
manipulation of requests made by the browser to the web site.

Features 


Intercept all browser requests (both HTTP and HTTPS) 
On-the-fly editing of requests based on a matching regular expression 
Re-submission and editing of previous requests 
Regular expression substition 
Logging of requests and replies to files 
Quashing of header parameters 
Re-loading of previously logged session 
Cookie management utilities 
Automated fuzzing of request parameters 
Spidering with form and error detection 
Automated forced browsing to find known vulnerabilities and configuration errors 
Windows NTLM authentication supported on all platforms 
Edit requests with XML bodies for web services and other complex applications 

Note: If you are using the evaluation version of WebProxy some
features of the full version are not available. To enable SSL support
and to edit more than the first 3 form fields you must purchase the
full version. More information is available on the WebProxy web site.

Installation 

@stake WebProxy depends on Sun's JRE v1.4.1. If you chose the WebProxy
Installer with JRE, this is already installed. If not, you need to
install the JRE prior to using WebProxy. It is available at
http://java.sun.com/.

WebProxy works as a proxy between your browser and the requested web
site. It must be installed as an HTTP and HTTPS proxy in your browser
before you can use any of its features. By default, WebProxy sets up
an HTTP proxy at 127.0.0.1:5111, and an HTTPS proxy at 127.0.0.1:5112.
Follow your browser's instructions on how to set up a proxy, using
these port numbers. WebProxy has been tested with Netscape 4.79,
Netscape 6.2, Internet Explorer 5.5, and Internet Explorer 6.0.

After setting up your browser and starting WebProxy using the included
script file or batch file, navigate to http://webproxy/ to use
WebProxy's features.

Installing the WebProxy Certificate Authority Cert 
In order to intercept HTTPS requests, WebProxy performs HTTPS
main-in-the-middle. The first time an HTTPS request is made to a
particular web site, WebProxy will generate a certificate for that
site. This certificate is used for the SSL socket between WebProxy and
the browser. In order for the browser to "trust" the
WebProxy-generated certificates, the WebProxy Certificate Authority
Cert must be installed as a trusted CA in your browser. To do this,
simply point your browser at http://webproxy/ and navigate to the
"Admin" screen. Under "Functions," there will be a button to "Install
WebProxy Cert." Click this, and follow your browser's instructions to
trust WebProxy as a Certificate Authority.

Saving the Current Configuration 
To save the current configuration, including Global Properties,
Plugins loaded, Plugin properties, and Proxies enabled, click "Save
Config" in the "Admin" screen. This will overwrite the .webproxyrc
file with the current configuration.

Full WebProxy Documentation


Major Functions 

RequestIntercept 
RequestIntercept is  used for on-the-fly editing of requests. If
RequestIntercept detects a request from your browser that matches any
of the regular expressions that you have configured, it will place you
into an editor screen, allowing you to modify the request before it is
sent to the server. As an example, you might configure
RequestIntercept to intercept the first two requests containing "POST"
to server www.atstake.com. RequestIntercept's web interface allows
easy administration of intercepts.

RequestFuzzer  
RequestFuzzer is used to "Fuzz" a web page. Currently, it allows you
to select request parameters and have WebProxy populate the value with
strings that can cause errors to occur (for example, SQL reserved
characters, long strings, etc.). Similar to RequestIntercept, you
configure a regex-based match for requests. If WebProxy finds a
matching request, it places you into a RequesFuzzer screen. This
allows you to select parameters that you want fuzzed. Upon completion
of the fuzzing, you are placed in a results screen where you can view
the web server response. The fuzzstrings and error strings are
currently text files, so they can be modified at will. The
errorstrings file contains regular expression-based match strings.

Forced Browsing
WebProxy's Forced Browsing functionality performs a check for files
installed as part of common or default installations of web sites that
present a security risk. The Forced Browsing functionality provides
rapid verification of proper configuration of the website without any
potential for disruption of service.



Spider
WebProxy's Spider functionality allows a user to identify and log all
of the pages referenced from within a particular site, or page within
a site. The spider ensures complete testing of all locations within a
website, as well as providing a convenient source for connecting to
important functionality. The spider uses a multi-threaded engine to
recursively search all pages referenced from a single location. The
user can configure the depth of this searching, the number of parallel
searches, as well as restricting the hosts and/or domains are to be
examined.

RegexReplacement  
RegexReplacement is used for passively modifying request (and server
header responses) on the fly. Using RegexReplacement, you can
configure a regular expression that is replaced by a specified string.
You can also limit it to requests to a certain host, with a specific
count limit. In addition, you can require a secondary regular
expression that the request must match.

Quash 
Quash strips out request headers. For example, if you want WebProxy to
strip out the "Referer" request header, you can use Quash to do this.
You can use WebProxy's monitoring capabilities to find headers that
you do not want web sites to receive from your browser, and configure
them using Quash.

FileWriter  
FileWriter is used to log requests and responses to a file. To enable
log output, the "output-enabled" property must be set to true. It is
recommended that the "auto-filename" property also be set to true.
This causes WebProxy to rotate log files every hour, and organize the
log files into a different subdirectory for each day. (However, if
"auto-filename-host-based" is set to true in addition to
"auto-filename" the logs will be organized in a new directory for each
day, but the logs will be separated by host name.) Setting
"auto-filename" overrides the manual filename configured in
"output-filename." The location of the FileWriter logs is configured
with the "log-dir" property. It is not recommended that
"show-html-body" be set to true unless you want html in your log
files. Further, setting "hide-image-requests" to true will prevent
WebProxy from logging requests for images, significantly cutting down
on log file size.

RequestCache  
RequestCache keeps a buffer of a specified ("requests-to-cache")
number of previous requests in memory. Other plugins, such as
RequestEditor access this cache to allow editing or review of previous
requests. If "requests-to-cache" is set to -1, then WebProxy will
buffer all requests. Because it is eventually possible to run out of
memory in your JVM, it is recommended that you set this to a capped
number, such as 200. Capping this value will cause WebProxy to only
keep the specified number of requests in memory, discarding the oldest
requests as necessary. You can use "Show Cache" to view the requests
currently stored in memory. If you want to load a previous session
stored using FileWriter, you can enter the log location in the textbox
and click "Load FileWriter Output" to cache the previous session in
memory.

RequestEditor  
RequestEditor is an after-the-fact version of RequestIntercept. It
allows you to choose a previous request from the RequestCache, edit
it, and re-submit it to the web site.

Utilities 
The Utilities plugin has various conversion routines, such as BASE64
and URL Encoding. It can also calculate MD5 and SHA1 hashes. In
addition, it allows you to set and get cookies stored in your browser.
If you set a cookie, and want to do so for a domain, make sure you
specify a domain with a period at the beginning, like ".atstake.com"
and not "atstake.com" so as to properly set the cookie in your
browser.



Frequently Asked Questions 

How does WebProxy's SSL man-in-the-middle work? 
WebProxy installs as an HTTPS proxy in your browser. When your browser
goes to an HTTPS site, it sends a request similar to the following to
WebProxy:

CONNECT www.atstake.com:443 HTTP/1.0 

This is typically interpreted by an HTTPS proxy as a request to tunnel
all subsequent traffic from the browser to www.atstake.com on port
443. This allows the browser to then negotiate SSL directly with the
server, with the proxy simply relaying traffic. This is different than
an HTTP request, where your browser asks the proxy directly for a web
page, and the proxy is responsible for communicating with the server.
So, HTTPS is usually "tunneled" and HTTP is "proxied."

Instead of tunneling the HTTPS traffic, which would result in one SSL
connection from your browser to the server, WebProxy provides
man-in-the-middle functionality. It creates two SSL connections. One
from the proxy to the server (www.atstake.com, in this case), and one
from the proxy to the browser. This allows the plaintext request to be
intercepted by WebProxy.

If the certificate for a web site using HTTPS does not match the
server (if the Cannonical Name does not match the server name), most
browsers will pop up a dialog box warning of the certificate mismatch.
This would be the case with WebProxy if it used a single certificate
for negotiating HTTPS between the proxy and the browser. For example,
this certificate might have a CN=WebProxy. This CN would not match
www.atstake.com, giving annoying dialog boxes in your browser.

Obviously, WebProxy cannot get the private key for the real server's
certificate, so it can't truly impersonate the server. Instead, if you
don't want dialog boxes warning of certificate problems, you must
install WebProxy's Certificate Authority Cert. What this does is
install a certificate in your browser that establishes trust. If your
browser then receives a certificate that has been signed by this
Certificate Authority Cert, it will trust the signing authority and
assume the certificate is good (assuming the CN is equal to the host
name and the certificate is not expired). Thus, when you navigate to
an HTTPS site in WebProxy, WebProxy generates a new certificate with a
CN equal to the site name, and signs it with its internal Certificate
Authority Cert. This allows you to browse without annoying dialog
boxes.


Where is the WebProxy configuration stored? 
WebProxy configuration is stored in a file called .webproxyrc. This
file must be located in the directory that WebProxy is launched from
in order for WebProxy to use it. The file is ascii text and may be
edited by hand if you would like.

The .webproxyrc file contains a list of plugins to be loaded, settings
for the plugins, the proxies enabled, and other miscellaneous
configuration information.


I need to use a proxy.  How do I configure proxy chaning?

If the Web application you are testing requires you to go through a
proxy, you will need to configure proxy chaining support. Edit the
.webproxyrc file manually (examples are provided for HTTP, HTTPS, and
SSH).


#addproxy httpthruproxy 6111 some.http.proxy 80 local
#addproxy httpsthruproxy 6112 some.https.proxy 80 local
#addproxy sshthruproxy 6113 some.https.proxy 80 ssh-destination.server 443 local
Uncomment the line for the type of proxy you are using and modify the
port and the proxy name. For example, to use an HTTP proxy at
proxy.company.com port 3128 you would create the line:


addproxy httpthruproxy 3128 proxy.company.com 80 local

Do I have to install Java to use WebProxy? 
Yes. WebProxy is written in 100% pure Java, and requires JDK (or JRE)
1.4.1 from Sun. It will not work on a previous release of the JRE. You
can find the JRE at http://java.sun.com.

WebProxy was written in Java to provide cross-platform functionality.
It requires JRE 1.4.1 because this is the first release of the runtime
with built-in regular expression support. It also has built-in SSL
support, although this functionality was available as an add-on to
previous JREs.


How do I change the ports that WebProxy uses? 
To change the ports that WebProxy uses for its HTTP and HTTPS proxies,
you must edit the .webproxyrc file. In this file you will find two
lines that tell WebProxy to start the proxies. They will look similar
to:

addproxy http 5111 local 
addproxy https 5112 local 

To change the ports, simply change 5111 and 5112 to the desired new ports. 


How do I make WebProxy listen on a routable interface (not 127.0.0.1)? 
If you remove "local" from the lines in your .webproxyrc file that
instruct WebProxy to load the proxies, they will listen to 0.0.0.0
(all addresses) instead of 127.0.0.1. This will allow you to use
WebProxy from a different system.


Can multiple users use the same WebProxy instance? 
They can, but it is not recommended. WebProxy currently does not (and
may never) separate requests based on originating IP. Thus, all users
would share the same cache, plugins, etc., making using WebProxy
difficult. In addition, there is no security built in to WebProxy. Any
user that can connect to WebProxy can view the cache, change settings,
etc. Remember that WebProxy is a testing tool. Besides, WebProxy is
small and portable (due to the use of Java). It is most often easiest
for each user to use a locally-installed copy.


Is there any reason I shouldn't use WebProxy all of the time? 
That depends. If you disable server certificate checking using the
"ignore-cert-errors" global setting, then WebProxy will allow you to
browse to sites that have invalid (expired, CN mismatch, or signed by
untrusted CA) certificates. This is somewhat of a security issue if
you use WebProxy for normal browsing, as you would have no errors if
you browsed to a site that had a bad certificate.

In addition, there are occasionally sites that do not function
properly with WebProxy. While the authors try to make WebProxy as
flexible as possible, this sort of thing happens (though not very
frequently). Also, WebProxy does not currently support keep-alive.
This can slow down web browsing.

Other than that, there isn't much of a reason not to use WebProxy all
of the time if you want to see what is going on "under the hood."


Does WebProxy support multi-part POSTs? What about
non-"x-www-form-urlencoded" POST content types?
Not currently, and not currently. 


Are there any undocumented features in WebProxy? 
Yes. 


What OS/Browsers does WebProxy support? 
WebProxy should work with any OS that has Sun's JRE 1.4.1 and a
browser that allows you to set both HTTP and HTTPS proxies. It has
been tested on Windows, Linux, and Solaris, with Netcape 4.79 and 6.2,
and Internet Exploer 5.5 and 6.0.

Troubleshooting 


I'm having problems with <URL> It uses HTTPS. 
If you are having problems with a secure site that works in the same
browser without WebProxy running, try setting the global setting
"ignore-cert-errors" to true. This will ignore any problems with the
server's certificate. Also, try setting "server-SSLv3-only" to true.
Sometimes (very rarely) SSL negotiation between WebProxy and the
server will fail if WebProxy offers TLS. If these don't work, feel
free to contact support with the URL you tried. We will do our best to
help out. If nothing else, submit a description of the problem as best
as you can. The trial version of WebProxy does not support SSL.



I'm using Windows. WebProxy has halted and I can't browse anywhere. 
WebProxy monitors all requests and prints the request header and
server response header to the terminal window that it was run in.
Under Windows, this terminal window is a "Command Prompt." If you put
Window's Command Prompt window in "Select" mode, it will suspend the
process executing within it until you leave "Select" mode. ("Select"
mode is used to copy text from the Command Prompt to the clipboard.)
Make sure you are not in Select mode. Otherwise, WebProxy will be
suspended by Windows and you will be unable to browse. The Command
Prompt will say "Select" at the beginning of the title bar if you are
in select mode.


I'm trying to download a file using WebProxy. I click on it, and my
browser just sits there waiting for a response. Without WebProxy, this
returns immediately with a "Save As" dialog.
WebProxy caches the entire entity body before sending it back to your
browser. So, for example, if you are trying to download a 10MB file
through WebProxy, it will first download the entire file, before
sending the response to your browser. This is due to the current
architecture of WebProxy. Note that you will still retrieve the file,
but won't be prompted to save until the entire file is downloaded (so
you won't get a progress bar). Note that if you download a huge file,
it may cause your JVM to have memory errors, as there is a memory
ceiling (though this can be modified with arguments to the java
command line).


I used the "Edit Cookie" feature in the Utilities plugin, but it
didn't set my cookie.
One possibility is that the original cookie was not set for a specific
host, rather for a network. In other words, there is a difference
between setting a cookie for "atstake.com" and ".atstake.com". The
former only sets the cookie for the host "atstake.com" but would not
set the cookie for "www.atstake.com". The latter, however, would
create a cookie that works on both hosts. In addition, if you set a
cookie for "atstake.com" but there is a cookie already in your browser
for ".atstake.com" with the same name, the cookie for ".atstake.com"
will override the one you just set. Therefore, be careful when you set
cookies. Make sure you are setting them for the right host or network.


I used the "Set Cookie" feature in the Utilities plugin, but it didn't
set my cookie.
If you tried to set mutliple cookies this way, such as: "Foo=Bar;
Asdf=Qwerty", it will not work. You can only set one cookie at a time
using "Set Cookie". The "Edit Cookie" feature (available after using
"Get Cookie" for a host) allows you to set multiple cookies at once.