[Openvas-devel] New Change Request #51: Add HTTP/HTTPS proxy support to openvas-libraries
Christian Kuersteiner
ckuerste at gmx.ch
Mon Nov 15 04:55:58 CET 2010
On Thu, 2010-11-11 at 15:39 +0100, Michael Wiegand wrote:
> I have just added a new change request regarding HTTP/HTTPS proxy support in
> openvas-libraries (http://www.openvas.org/openvas-cr-51.html).
>
> I'd like to thank Christian Kuersteiner for the idea behind this change
> request and for providing a working prototype as well. I've attached the
> patch to this mail; please note that the control infrastructure contained in
> the patch is not yet final and the patch currently only supports proxies on
> localhost. This will of course change in the final version.
Although I am one of the initiator of the change request I would like to
give another thought for discussion.
The CR handles proxying of HTTP/S requests. How about the support of
proxies in general (i.e. SOCKS)? There was a recent discussion on the
metasploit mailing list (http://seclists.org/metasploit/2010/q4/113)
where there was the need to scan through a already compromise machine. I
guess there might be other situations where scanning through a proxy
might be useful. Of course, scanning through a proxy has some (quite
severe) caveats but might be accurated and needed in certain situations.
Another problem we face with the CR-51 patch is that it works just if
the NVT uses the HTTP related functions from NASL (e.g.
http_open_socket). If the programmer opens a socket for himself we can
not assure that it will be routed over the proxy. Again if we support
proxies in general we would have a better way to route all traffic over
the proxy.
Any thoughts?
Christian
More information about the Openvas-devel
mailing list