Re: [Flashcoders] OT - packet modification in firefox
I actually figured out what was necessary a few hours back, and thanks for your comments. I felt like I was slapped in the head for not seeing the obvious. In my mind it is a man in the middle, because the proxy is simulating the server in one direction and the client in the other; however, I get what you are saying, considering I control how the client attempts its connection. Dave Watts wrote: OMG... I now know, or think I know, what you are talking about, and I am an idiot for not realizing it sooner. (should have realized it when you said "end point") The client exchanges keys and requests, while the proxy pretends to be the server in question, and the proxy pretends to be the client sending and receiving data to and from the real server; thus, enabling the man in the middle attack. Well, in your case, the client wouldn't have to use keys at all - it could talk to the proxy via HTTP. The proxy could, in turn, talk to the target server via HTTPS. This isn't really a MITM thing, when you do it like this. Only one question remains... what if the server and client will only accept the use of known certificates? Normally, in a true MITM situation, that would be a problem. In this case, it won't be a problem, as the server will present its certificate to the proxy, the proxy will accept it, and that will be that. If you're also using client certificates, that complicates things a bit, but based on your previous emails it's not clear whether that's the case - and with both the proxy and the client certificate installed on the same machine it still shouldn't be a problem, although I haven't tried using client certificates with Paros Proxy specifically. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] OT - packet modification in firefox
> OMG... I now know, or think I know, what you are talking about, and I am an > idiot for not realizing it sooner. (should have realized it when you said > "end point") > > The client exchanges keys and requests, while the proxy pretends to be the > server in question, and the proxy pretends to be the client sending and > receiving data to and from the real server; thus, enabling the man in the > middle attack. Well, in your case, the client wouldn't have to use keys at all - it could talk to the proxy via HTTP. The proxy could, in turn, talk to the target server via HTTPS. This isn't really a MITM thing, when you do it like this. > Only one question remains... what if the server and client will only accept > the use of known certificates? Normally, in a true MITM situation, that would be a problem. In this case, it won't be a problem, as the server will present its certificate to the proxy, the proxy will accept it, and that will be that. If you're also using client certificates, that complicates things a bit, but based on your previous emails it's not clear whether that's the case - and with both the proxy and the client certificate installed on the same machine it still shouldn't be a problem, although I haven't tried using client certificates with Paros Proxy specifically. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
[Flashcoders] Out of Office (was: Flashcoders Digest, Vol 20, Issue 6)
___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] OT - packet modification in firefox
Again, if you read my last message, I was thinking in terms that were overly overly complex. Didn't see the obvious. Thank you very much for pointing it out. Dave Watts wrote: From what you are saying, does FF3 not use its own implementation of ssl, and connects to the proxy first, where the open text is sent to the proxy, and the proxy is responsible for encrypting the data? If this is the case, then it solves most of my problems; however, I can only think of a few possible uses for this: custom network environments to increase available bandwidth; or to use different encryption methods for proprietary encrypted client server communication. Now that I am thinking clearly, is this the case? and if so, thank you very much for the suggestion. You'd have the proxy listen for HTTP requests, and send HTTPS requests. It's pretty simple, actually. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] OT - packet modification in firefox
OMG... I now know, or think I know, what you are talking about, and I am an idiot for not realizing it sooner. (should have realized it when you said "end point") The client exchanges keys and requests, while the proxy pretends to be the server in question, and the proxy pretends to be the client sending and receiving data to and from the real server; thus, enabling the man in the middle attack. Only one question remains... what if the server and client will only accept the use of known certificates? Anthony Pace wrote: Trying to think a little clearly here. From what you are saying, does FF3 not use its own implementation of ssl, and connects to the proxy first, where the open text is sent to the proxy, and the proxy is responsible for encrypting the data? If this is the case, then it solves most of my problems; however, I can only think of a few possible uses for this: custom network environments to increase available bandwidth; or to use different encryption methods for proprietary encrypted client server communication. Now that I am thinking clearly, is this the case? and if so, thank you very much for the suggestion. Anthony Pace wrote: I need to know; so if you have a doc that shows I am wrong about how FF3 encrypts the data, then, with all due respect and a hallelujah, it would be appreciated. Anthony Pace wrote: This is for a man in the middle attack where the attacker I theoretically wouldn't know the keys that the client and the server are exchanging. A proxy would only be able to monitor the stream, but it would not be able to decypher the data unless the handshake was faulty or the keys were small enough to break; however, if you know different, and I really mean it, if my logic is screwed and I need to know, please tell me. Thanks, Anthony Dave Watts wrote: I know I could create a proxy and run a filter on each request; yet, this would not allow me to modify the request before FF3 encrypts it. Yes it will. The proxy would serve as the SSL endpoint. Paros proxy does this quite easily, and there's plenty of documentation out there on how to use it, last I looked. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] OT - packet modification in firefox
Trying to think a little clearly here. From what you are saying, does FF3 not use its own implementation of ssl, and connects to the proxy first, where the open text is sent to the proxy, and the proxy is responsible for encrypting the data? If this is the case, then it solves most of my problems; however, I can only think of a few possible uses for this: custom network environments to increase available bandwidth; or to use different encryption methods for proprietary encrypted client server communication. Now that I am thinking clearly, is this the case? and if so, thank you very much for the suggestion. Anthony Pace wrote: I need to know; so if you have a doc that shows I am wrong about how FF3 encrypts the data, then, with all due respect and a hallelujah, it would be appreciated. Anthony Pace wrote: This is for a man in the middle attack where the attacker I theoretically wouldn't know the keys that the client and the server are exchanging. A proxy would only be able to monitor the stream, but it would not be able to decypher the data unless the handshake was faulty or the keys were small enough to break; however, if you know different, and I really mean it, if my logic is screwed and I need to know, please tell me. Thanks, Anthony Dave Watts wrote: I know I could create a proxy and run a filter on each request; yet, this would not allow me to modify the request before FF3 encrypts it. Yes it will. The proxy would serve as the SSL endpoint. Paros proxy does this quite easily, and there's plenty of documentation out there on how to use it, last I looked. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] OT - packet modification in firefox
> From what you are saying, does FF3 not use its own implementation of ssl, > and connects to the proxy first, where the open text is sent to the proxy, > and the proxy is responsible for encrypting the data? If this is the case, > then it solves most of my problems; however, I can only think of a few > possible uses for this: custom network environments to increase available > bandwidth; or to use different encryption methods for proprietary encrypted > client server communication. > > Now that I am thinking clearly, is this the case? and if so, thank you very > much for the suggestion. You'd have the proxy listen for HTTP requests, and send HTTPS requests. It's pretty simple, actually. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] OT - packet modification in firefox
I need to know; so if you have a doc that shows I am wrong about how FF3 encrypts the data, then, with all due respect and a hallelujah, it would be appreciated. Anthony Pace wrote: This is for a man in the middle attack where the attacker I theoretically wouldn't know the keys that the client and the server are exchanging. A proxy would only be able to monitor the stream, but it would not be able to decypher the data unless the handshake was faulty or the keys were small enough to break; however, if you know different, and I really mean it, if my logic is screwed and I need to know, please tell me. Thanks, Anthony Dave Watts wrote: I know I could create a proxy and run a filter on each request; yet, this would not allow me to modify the request before FF3 encrypts it. Yes it will. The proxy would serve as the SSL endpoint. Paros proxy does this quite easily, and there's plenty of documentation out there on how to use it, last I looked. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] OT - packet modification in firefox
This is for a man in the middle attack where the attacker I theoretically wouldn't know the keys that the client and the server are exchanging. A proxy would only be able to monitor the stream, but it would not be able to decypher the data unless the handshake was faulty or the keys were small enough to break; however, if you know different, and I really mean it, if my logic is screwed and I need to know, please tell me. Thanks, Anthony Dave Watts wrote: I know I could create a proxy and run a filter on each request; yet, this would not allow me to modify the request before FF3 encrypts it. Yes it will. The proxy would serve as the SSL endpoint. Paros proxy does this quite easily, and there's plenty of documentation out there on how to use it, last I looked. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] OT - packet modification in firefox
> I know I could create a proxy and run a filter on each request; yet, this > would not allow me to modify the request before FF3 encrypts it. Yes it will. The proxy would serve as the SSL endpoint. Paros proxy does this quite easily, and there's plenty of documentation out there on how to use it, last I looked. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
[Flashcoders] OT - packet modification in firefox
I am looking to intercept get/post requests in firefox, and I remember there was an add-on for FF2 that could do both; yet, I can only find one that allows editing of POST data, but not GET. I know I could create a proxy and run a filter on each request; yet, this would not allow me to modify the request before FF3 encrypts it. I am really hoping I don't have to go about writing my own add-on, or be forced to go back to FF2. Any help? this is very useful for auditing web applications. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Recommendation for AS3 decompiler?
Thanks Anthony, very useful to know. BTW, I just noticed that the Mac version of SoThink's SWF Decompiler is at version 4.5, whereas the Windows version is now at 5.0. I need v5 to decompile AS3 code for FlashPlayer 10, so I'll run the Windows version under VMWare Fusion for now. On 2009-05-05 , at 23:40 , Anthony Pace wrote: When I have deleted the fla, I only have my swf, and I need to reuse a bit of code, sothink has come to the rescue quite a few times; however, I am on windows. If it has to be a mac, even though it crashes, I think sothink is your best bet. Gerry Beauregard wrote: Does anyone have a recommendation for a good tool for decompiling SWFs (and if possible SWCs) written in ActionScript 3? Must run on MacOS 10.5. I was considering buying the SoThink SWF Decompiler for Mac, but unfortunately it often crashes when I select an SWF I just built with Flex Builder 3, and even when it doesn't crash, the trial version doesn't display ActionScript code. Incidentally, I have no intention of ripping off anyone else's ActionScript code. Quite the contrary, I'm developing new code, and want to see what people using a decompiler would be able to figure out if I don't use obfuscation. If I conclude that obfuscation is necessary at all, I'll need a decompiler to evaluate obfuscation options... -Gerry ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Recommendation for AS3 decompiler?
Hi, If you can run windows software, check out Burak's ASV - it's definitely worth the money and paying users can get access to the latest beta's of the AS3 decompiler... I find ASV really good for getting the AS code out and SoThink was good for "rescuing" movieclips from SWF's without FLA's... Glen Gerry Beauregard wrote: Thanks Anthony, very useful to know. BTW, I just noticed that the Mac version of SoThink's SWF Decompiler is at version 4.5, whereas the Windows version is now at 5.0. I need v5 to decompile AS3 code for FlashPlayer 10, so I'll run the Windows version under VMWare Fusion for now. On 2009-05-05 , at 23:40 , Anthony Pace wrote: When I have deleted the fla, I only have my swf, and I need to reuse a bit of code, sothink has come to the rescue quite a few times; however, I am on windows. If it has to be a mac, even though it crashes, I think sothink is your best bet. Gerry Beauregard wrote: Does anyone have a recommendation for a good tool for decompiling SWFs (and if possible SWCs) written in ActionScript 3? Must run on MacOS 10.5. I was considering buying the SoThink SWF Decompiler for Mac, but unfortunately it often crashes when I select an SWF I just built with Flex Builder 3, and even when it doesn't crash, the trial version doesn't display ActionScript code. Incidentally, I have no intention of ripping off anyone else's ActionScript code. Quite the contrary, I'm developing new code, and want to see what people using a decompiler would be able to figure out if I don't use obfuscation. If I conclude that obfuscation is necessary at all, I'll need a decompiler to evaluate obfuscation options... -Gerry ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] AS3: Inserting text into textInput field via code... can't do it?
You should be able to set the text of a TextFieldType.INPUT type TextField using "text" property as you are doing. Kenneth Kawamoto http://www.materiaprima.co.uk/ Carl Welch wrote: Hi, I need to place some text into a input text field - the user needs to be able to edit some text (from a database) and submit it back to a database. So far, though, I've been unable to pass any vars to the input textfield like this: datatext.text = database_vars; do I need to handle input textfields differently than a dynamic textfield? thanks. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders