2

I've got a login page that uses HTTPS, however when I submit the credentials and intercept the request with the webscarab proxy sever, I can see the credentials in plain text, similar to the the second example in this OWASP article

Am I misunderstanding how HTTPS/Webscarab works? If I am intercepting a request being sent via HTTPS, shouldn't the login credentials be encrypted in the request by the time the proxy server intercepts them?

4

1 回答 1

3

据我了解,WebScarab 旨在用作显式代理,即必须有目的地配置浏览器以连接到它。此时,SSL 握手发生在浏览器和 WebScarab 之间,因此显然 WebScarab 可以以明文形式读取数据(您可以将其视为指示浏览器将 WebScarab 作为每个 HTTP 请求的目标主机)

当您不自己设置代理时,情况会有所不同。在这种情况下,SSL 握手是在您和目标主机之间进行的,因此无论您的 HTTP 请求经过多少中间代理,都只能由正确的代理解密

于 2012-08-16T15:34:52.930 回答