Running WeBaCoo over HTTPS through proxy

Recently I got a bunch of emails asking how to run WeBaCoo against HTTPS websites. Current 0.2 version does not support SSL/TLS protocols, although you can use the built-in proxy support combined with tools that offer proxy features (ZAP, Burp etc.) instead. WeBaCoo can use a web proxy with HTTPS support to establish the secure connection with the web server, and then send the request and get the relevant responses through it. The rest of the article will provide a relevant case study using ZAP‘s proxy support.

 

Initially ZAP is started and configured to run a localhost HTTP proxy on port 8080.

 

With the local proxy listening, WeBaCoo’s proxy support can be used to establish the secure connection with the remove web server.

root@testbed:~# ./webacoo.pl -t -u https://example.com/https_test.php -p 127.0.0.1:8080

 

And here are the requests & responses that ZAP captured:

 

 

 
A. Bechtsoudis