89.83KB
61 downloads
Mallory is a transparent TCP and UDP proxy developed by the Intrepidus group. It is an exceptional tool that should be a valuable part of any software security assessor's toolkit.
Some of you may have used web proxy tools such Paros, Burp, or WebScarab to gain insite into the traffic flowing between your browser and a web server with great success.
You know how integral to a successfull assesment using a proxy is but what about on a mobile phone? The usual techniques don't apply when obtaining a proxy and placing it on a mobile platform. Until the recent development of Mallory, it's proven to be a difficult task at best.
You might be asking who would want to use a mobile proxy for intercepting traffic. Primarily IT Security professionals & Mobile App Developers.
The most common use of Mallory is towards Mobile App Assessments, Web Application Assessments, XSS testing, and Network focused attacks.
Supported platforms include: QUALCOMM/BREW, RIM, WinMo, iPhone, Android
Mallory can be used to get at those hard to intercept network streams & assess those tricky mobile web applications.
In more technical terms, Mallory is an extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway.
Mallory offers functionality above and beyond traditional tools for packet inspection.
Functions of Mallory offered range from the ability to pause, tamper, and play data.
Mallory solves a problem faced by many application security folks namely the ability to manipulate traffic to and from an application.
Several of the forementioned proxy tools exist for solving this issue when dealing with web applications however, these applications all rely on the use of a browser as a client.
The browser is typically configured to point to the proxy app as the http gateway so it can intercept, inspect, and alter traffic between the browser and the web application server.
Without a browser, replicating this functionality is extremely challenging.
70.84KB
82 downloads
Mallory's GUI will be familiar to anyone who has used a proxy tampering tool like WebScarab or TamperData. Packet captures appear in the left
hand pane of the GUI and the right hand pane shows the contents in a text box. The packet flow is paused while the content is
displayed, allowing the user to alter the packet contents before clicking a button to forward the packet along its merry way.
There is an auto-forward button that continues to follow capture, but automatically forwards the packet without manipulation.
This allows operators to observe a stream, then decide when to implement the capture and tamper function. The GUI also includes
handy filtering functionality to zero in on traffic of interest.
30.83KB
65 downloads
Mallory also includes features that allow it to generate self signed certificates on the fly. This allows Mallory to
man in the middle (MITM) SSL connections. The end user gets a warning about an invalid certificate, but if they accept it then
Mallory automatically maintains two encrypted connections, one with the client and the other with the application server the client
is attempting to connect to. The traffic between the two connections is unencrypted, however, allowing Mallory to observe the data
and tamper with it. Although a feature does not currently exist to allow Mallory to attempt to degrade SSL connections that may be
in the works. This would allow Mallory to intercept SSL connection attempts and try to renegotiate them to previous versions of SSL
which are weaker and in some cases contain flaws.
95.21KB
44 downloads
Download Here:
Setting up Mallory:
Sources:
Mallory - Mobile web application proxy ....and more
Started by
eyecre8
, Dec 10 2012 10:07 AM
Security Tool Mobile Proxy
No replies to this topic
#1
eyecre8
-
- Moderator
-
- 108 posts
Mod/News Team Leader
- Google+:eyecre8
- LocationOhio/Florida
- Current Device(s):2 Razr's (xt912) & Asus TF700T
Posted 10 December 2012 - 10:07 AM
- Krazr and satman80 like this
My name is Eyecre8 and I approve this message!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
