Browsed by
Month: July 2016

Tools for testing HTTPoxy Vulnerability ?>

Tools for testing HTTPoxy Vulnerability

I’ve developed a script that you can run on your server and test for CGI HTTPoxy vulnerability. It’s available on my github in a repository named HTTPoxy-Test-Tools. I’ve currently developed the script for apache web servers but I’ll be adding support for other webservers gradually. Edit: Added IIS HTTPoxy Testing Tool: https://github.com/silverfoxy/HTTPoxy-Test-Tools/tree/master/iis_httpoxy HTTPoxy Test Tools This tool finds your webserver’s CGI directory, adds a temporary file that returns the HTTP_PROXY environment variable. It then sends a GET request to this…

Read More Read More

HTTPoxy vulnerability affecting CGI Applications ?>

HTTPoxy vulnerability affecting CGI Applications

There’s this new vulnerability with a website [HTTPoxy.org] and a logo. Apart from the complete description that’s available at their official website I’m going to walk you through it and give you some practical examples of abuse cases. I’ve also developed a tool that you can run on your servers which tells you if you’re vulnerable or not. What is HTTPoxy and how does it work? HTTPoxy is the name of a vulnerability affecting CGI based applications. This can affect…

Read More Read More

Client Certificate Authentication, Configuring IIS To Authenticate Users Via Hardware Tokens ?>

Client Certificate Authentication, Configuring IIS To Authenticate Users Via Hardware Tokens

Preface What is PKI? Wikipedia says: A Public Key Infrastructure (PKI) is a set of roles, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Is PKI all about public key cryptography? Not exactly, the emphasis is more on policies and procedures rather than the technology and math. Ok, What does this PKI thing look like? This system consists of different parties, namely the Certificate Authority (CA), the Registration Authority (RA)…

Read More Read More