I also need to learn more about security testing tools, and my security expert has asked me to use Burp and become more familiar with the huge bag of other things the tool can do. The downloader however has a way we can tell it to download using a URL we supply, as a test-hook. One “could” automate this, a few problems crop up though, because obviously the downloader uses SSL so it cannot be hijacked, the downloader uses a certificate chain to check. The app downloads a file over SSL on port 8000. I want to verify that string before each release, the agent string contains an expected version number from the downloading app, so I should be able to check it has the version number we expect, before we deploy. I have an app that downloads a file from the internet over SSL, our web server tracks downloads by logging the agent string. And then… because I want to give you a full “lego-box”, I’m going to give you some easy to run code that will do the same thing. I managed to get a good answer and this took putting two things in place, so first I’m going to be very clear about my goal again even if I did state it well in the beginning. Now for the tricky part where I write a simple tutorial on how to test using Burp/Portswigger. So a very lightweight and in future easy to automate test is called for, and that’s why I’m going to have to share my solution later, which I’m pretty sure will be to use Burp. With each update of the native app, we modify the user agent string to include the version number, so this lets us track how many people are using old versions of the binary. I’m going to let you all know what I did do in the end, but am glad to know I was not struggling alone. I have once used Charles, but found some sources of frustration and probably need to either use BurpSuite (which is an OTT tool for many simple things like this) or Charles I guess. I’m tempted to write a small web server that does log the string to stdout, good idea. I could spin up a “fully decent” web server, but that would suddenly not be a one-liner anymore. Yeah, because of various shortcuts forced by security concerns, the ability to run a true “integration environment” is infernally hard to set up, so I am dummying the “backend” which would normally log the user-agent strings for us and am running a simple java or python webserver on local machine instead.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |