Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve got a login page that uses HTTPS, however when I submit the credentials and intercept the request with the webscarab proxy sever, I can see the credentials in plain text, similar to the the second example in this OWASP article
Am I misunderstanding how HTTPS/Webscarab works? If I am intercepting a request being sent via HTTPS, shouldn’t the login credentials be encrypted in the request by the time the proxy server intercepts them?
As I understand, WebScarab is intended to be used as an explicit proxy, ie the browser must be purposefully configured to connect to it. At this point, the SSL handshake happens between the browser and WebScarab, so obviously WebScarab can read the data in clear text (you can think of it as the browser is instructed to thread WebScarab as the target host for each and every HTTP request)
Things work differently when you don’t set up a proxy by yourself. In this case, the SSL handshake is performed between you and the target host, so it doesn’t matter how many intermediate agents your HTTP request passes through, it can only be deciphered by the right one