[Openvas-devel] New Change Request #51: Add HTTP/HTTPS proxy support to openvas-libraries

Christian Kuersteiner ckuerste at gmx.ch
Mon Nov 15 04:55:58 CET 2010


On Thu, 2010-11-11 at 15:39 +0100, Michael Wiegand wrote:
> I have just added a new change request regarding HTTP/HTTPS proxy support in 
> openvas-libraries (http://www.openvas.org/openvas-cr-51.html).
> 
> I'd like to thank Christian Kuersteiner for the idea behind this change 
> request and for providing a working prototype as well. I've attached the 
> patch to this mail; please note that the control infrastructure contained in 
> the patch is not yet final and the patch currently only supports proxies on 
> localhost. This will of course change in the final version.

Although I am one of the initiator of the change request I would like to
give another thought for discussion.

The CR handles proxying of HTTP/S requests. How about the support of
proxies in general (i.e. SOCKS)? There was a recent discussion on the
metasploit mailing list (http://seclists.org/metasploit/2010/q4/113)
where there was the need to scan through a already compromise machine. I
guess there might be other situations where scanning through a proxy
might be useful. Of course, scanning through a proxy has some (quite
severe) caveats but might be accurated and needed in certain situations.

Another problem we face with the CR-51 patch is that it works just if
the NVT uses the HTTP related functions from NASL (e.g.
http_open_socket). If the programmer opens a socket for himself we can
not assure that it will be routed over the proxy. Again if we support
proxies in general we would have a better way to route all traffic over
the proxy.

Any thoughts?

Christian



More information about the Openvas-devel mailing list