Skip to main content

Posts

Showing posts from April, 2013

Proxy Chaining

The issue: While doing one assessment, we faced one issue of our ZAP proxy throwing response ‘401 Unauthorized’ while we were trying to fuzz one application. The application was using NTLM authentication, where the client needs to send the domain name, username and user-password’s hash combination to the server, in order to entertain the requests. NTLM is windows challenge/ response authentication protocol. For more info on NTLM working: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749%28v=vs.85%29.aspx . So, we were not able to fuzz the parameters as it was sending back ‘401 Unauthorized’ response, don’t know for what reason despite us providing the windows credentials to ZAP [Fig-1].  Fig-1 So, we had no other option except trying other similar web proxies. We tried WebScarab and provided Windows authentication by going Tools-> Credentials [Fig-2]