A lot of web applications use port 80 and 443, but don’t necessarily speak HTTP or live inside a web browser. Many of these web apps utilize rich content and compiled code, such as Flash/ActiveX/Java, that have the ability to open their own TCP sockets to remote servers, by-passing the browser’s network stack and any HTTP proxy the browser is configured to use.

All the JVMs I’ve used do let you specify a proxy for an applet to use, but in my experience, this process is sometimes a little clumsy. On top of that, this only helps if the applet is speaking HTTP, or some other known protocol for which a proxy exists.

Putting browser based applications aside for a moment, fat client applications (including those on mobile devices) will utilize port 80/443 as a sure-fire way through the firewall, even if they aren’t using a standard protocol like HTTP or SOAP/WS-Security.

WireShark, tcpdump, and other network sniffers can be helpful in these situations where you can’t get application data easily routed through a proxy. However, the ability to replay or modify data on the fly between the client/server is still a challenge. Add SSL encryption to the scenario, and typically you are S.O.L.

What we need is a socket based TCP proxy with SSL support. Such a proxy would capture traffic at the network layer, identify common protocols and accumulate requests/responses for MITMing, but also stream proprietary protocols while providing a mechanism for altering/fuzzing data on the fly.

Tools like WebScarab/Paros/Burp are great at what they do. But as soon as an application strays from a common protocol (security through obscurity anyone?) these tools lose some of their value.

I already have a proof-of-concept tool that has been invaluable to us in some recent pen-testing. Now, the plan is to tighten up the loose ends, add some features, and make it available for others to use.

I’d definitely be interested to hear what anyone has to say about such a tool. Do you think it would help you? Is there already something similar out there? Leave your comments below.

-Schmoilito