问题描述
目前,我正在为Peach Fuzzing框架开发自定义HTTP发布器.
Currently I am working on a custom HTTP publisher for the Peach Fuzzing framework.
为了确定服务器是否以异常方式响应,我需要使用Wireshark(或Peach Framework中包含的PcapMonitor)检查解密的传入/传出程序包-为此,我需要以下SSL密钥:由C#HttpWebRequest生成(类似于 SSLKEYLOGFILE ),因为我试图对受SSL保护的RESTful网络服务进行模糊测试.
In order to determine if the server responed in an unusual way I need to examine the decrypted incoming / outgoing packages with Wireshark (or the PcapMonitor that is included in the Peach Framework) - to do that I need the SSL keys that are being generated by the C# HttpWebRequest (similar to the content of the SSLKEYLOGFILE) since I am trying to fuzz an SSL protected RESTful webservice.
如果无法获取密钥或非常困难-是否有其他方法可以查看原始HTTP请求/响应?
If it is not possible to get the keys or if it is very difficult - is there any other way to see the raw HTTP request / response?
谢谢!
推荐答案
只是找到了一种获取解密包的方法:
Just found a way to get the decrypted packages:
-
创建一个可通过Wireshark监视的环回接口
Create a loopback interface that can be monitored with Wireshark
创建一个反向代理(我使用了nginx)并将所有流量从"localhost"重定向到目标URL(https://)
Create a reverse proxy (I used nginx) and redirect all traffic from "localhost" to the target URL (https://)
告诉您的应用程序不要将请求发送到目标(https://),而是发送到localhost( http://localhost/)
Tell your application not to send the requests to target (https://) but to localhost (http://localhost/)
开始在回送界面上侦听并启动您的应用程序
Start listening on the loopback interface and start your application
希望这对处于类似情况的人很有帮助
Hope this is helpful for somebody in a similar situation
这篇关于如何获取https://C#HttpWebRequest的SSL密钥?(类似于浏览器环境变量SSLKEYLOGFILE)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!