So after about a minute of looking at https traffic with wireshark, I knew it was time to either hook some browser calls with immunity debugger, or even better, take a look at oSpy. From the website "oSpy is a tool which aids in reverse-engineering software running on the Windows platform".
It turns out oSpy already has built in hooking for send/recv calls in the right places to see https calls from a local browser in clear text.
So it became fairly easy to understand exactly how this particular OFX service linked to see xml data formatted.
OFX services are like WSDL-less web services. The OFX server registers with intuit or microsoft and publishes a request format that the client has to use to request the specific data format that further requests must be formatted in.
It's kind of an anonymous bind that returns a schema with instructions on how to perform an authenticated request. I guess this might be due to the age of the specification that allows a relatively closed architecture around specific schema's for data transmission.
This is what I ended up using along with burp intruder to fuzz the unfriendly service.
import httplib
import re
PROXYHOST = "proxy.webmonyz.net"
PROXYPORT = 8080
URL = "https://www.ofxserver.com:443/web/default.ofx"
HOST = URL.split('/')[2]
regex = re.compile('<\w >\w ')
headers = {"Content-type": "application/x-ofx","Accept": "*/*","Host": "ofx.ofxserver.com"}
data = """\
OFXHEADER:100
DATA:OFXSGML
VERSION:102
SECURITY:NONE
ENCODING:USASCII
CHARSET:1389
COMPRESSION:NONE
OLDFILEUID:NONE
NEWFILEUID:NONE
<OFX>
<SIGNONMSG>
<SONRQ>
<CLIENT>20080414141414.123[-4:EDT]
<USERID>anonymous
<PASS>anonymous
<GENKEY>N
<LANGUAGE>ENG
<FI>
<ORG>WEBMONYZ
<FID>4141
</FI>
<APPID>OLS
<APPVER>2600
</SONRQ>
</SIGNONMSG>
<PROFMSG>
<PROFTRNRQ>
<TRNUID>41E2E2B0-4E61-1320-C2C8-CE72D5B69086
<PROFRQ>
<CLIENTROUTING>MSGSET
<DTPROFUP>41414101
</PROFRQ>
</PROFTRNRQ>
</PROFMSG>
</OFX>
"""
if len(PROXYHOST) > 3:
conn = httplib.HTTPConnection(PROXYHOST, PROXYPORT)
else:
conn = httplib.HTTPConnection(HOST)
conn.request("POST", URL, data, headers)
response = conn.getresponse()
print response.status, response.reason
data = response.read()
n = regex.findall(data)
for c in n:
print c
conn.close()
Posts
No comments:
Post a Comment