search
top

BurpSuite & ZAP Bypass Proxy

BurpSuite & ZAP Bypass Proxy

I wanted to make this tutorial for users that might get stuck in a similar situation.

I was security testing a website using Burpsuite and would end up with SSL Handshake failures. And, it really made no sense at first since Burpsuite uses Java. And, I had the latest version of Java installed on my machine. Burpsuite was giving me SSL Handshake failure alerts and was asking me to install JCE Strong Cipher policies. Turns out the website was using VERY strong ciphers (which is a very good thing). And, they were using no medium or outdated ciphers.

Now, these ciphers are so strong that even the latest Java package does not contain them….yet.

So that meant I had to find another way to use Burpsuite, but still have the ability to make a proper SSL handshake using the strong ciphers. I then turned to another similar product called OWASP ZAP. This is a great product and I have used it back when I didn’t quite have the funds to purchase Burpsuite. What I realized was that I could use Burpsuite and have ZAP filter my traffic for me. For some reason ZAP has all of the strong ciphers and did not fail the SSL handshake, which meant I could transfer traffic as:

 Browser -> Burpsuite -> ZAP -> Webserver

(more…)

Why No Padlock?

SSL Scanning Websites

So today, I came across a website that does a quick SSL test on your website.

Anyone with a website should really be running this tool. I actually did find a few minor issues and was able to gather some info about it.

Our Results

Here is what we got for our results:

whynopadlock

whynopadlock

 

It’s looking good for us and especially since we have forced all our internal links to make use of HTTPS

I also wanted to list a bad result as shown below.

(more…)

SSL Cert Options

SSL Certificates

To Start off, I am going to break this post into many parts.
This will be part 1

So lately, I have been looking at different SSL Cert options that are out there for your applications and machines.

Let’s face it unless you’re a small to large business you may not see a huge investment with SSL certs.

Personally, I think  it’s a general good practice most people should adopt it for everything.
I’ve seen some people complain that adding a layer of SSL decreases server performance.

In my opinion most machines these days are fairly powerful.
Or, at least powerful enough to take on something like SSL, so I don’t see that as a very valid excuse at all.

The main reason people may not wish to make use of SSL is due to the costs, or the lack of knowledge on how to properly make use of one.

And, my hope is to find a reliable SSL Cert CA, that also is reasonably priced and affordable for the average blog poster.

I found an interesting website that actually did an analysis on this issue awhile back.

(more…)

top
Secured By miniOrange