is there any secure websocket (wss protocol) client browser plugin available? - plugins

we would like to test our secure websocket (i.e wss) end point. I am looking for easy tool to test the endpoint. is there browser plugin available for wss protocol?

I used "Simple WebSocket Client" chrome plugin to test wss endpoint. If your websocket is using self signed certificate, you to need add that certificate as a trusted certificated in your browser.
I followed below steps to add the self signed in my chrome browser.
suppose your websocket url is "wss://host1:port1/testSocket" . Then type urls as https:// host1:port1/testSocket
and trust the certificate.

AutobahnTestsuite is an automated WebSocket protocol test suite that supports WSS. It is used by most WebSocket implementors to test their implementations for compliance and interoperability.
Disclosure: I am original author of the testsuite.

I've run into this issue often enough that I finally created my own barebones GUI for testing websockets. It's called Socket Wrench, it supports
multiple concurrent connections to servers (with all responses and connections displayed in the same view),
comprehensive message history to enable easy re-use of messages, and
custom headers for the initial connection request.
It's available for Mac OS X, Windows and Linux and you can get it from here.

Related

How To Establishing a Certificate-Based Connection to APNs

I do not know is it correct way or not but I am trying to get certificate from macos keychain and use it on flutter httpclient to establish a Certificate based connection. I just wonder is it possible or not.
For now i can get the certificate with native code with and i am returning the data:
var certificate: SecCertificate?
SecIdentityCopyCertificate(identityNotNil, &certificate)
let data = SecCertificateCopyData(certificate!)
then i try to use it like inside flutter:
SecurityContext context = SecurityContext.defaultContext
..useCertificateChain(certificateByteArray, password: 'password');
var _client = HttpClient(context: context);
but i am getting error about bad certificate. Maybe there is a way to reach keychain directly from flutter.
Thank you.
To be more specific, i am trying to use a certificate like :
https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_certificate-based_connection_to_apns
I assume that your question relates to flutter web - not a standalone Mac OS application? Then I can think of the following scenarios:
Use client certificates to establish an SSL based secure transport layer with certificate based authentication.
Use client certificates to exchange encrypted messages with encryption done by the application (both client and server) or use client certificates on the application layer for Authentication only.
Scenario 1: SSL with client certificates
In flutter web, HTTP Connections are only supported via XMLHttpRequest - the underlying JavaScript Object - under the hood flutter web code is transformed into JavaScript code. XMLHTTPRequest does NOT support any Client Certificates.
But you can configure the Browser to use client certificates when connecting to a WebServer via SSL - this would be fully transparent to the flutter web app. All modern browsers support client certificates and do access the MacOS keychain.
Of course, the server need to support SSL with client certificates. E.g. if you want to use client certificates in order to authenticate to a Spring Application based on SSL client certificates, this is described here:
Spring Security - Pre-Authentication Scenarios
Scenario 2: Application layer encryption/authentication
This is a very unusual scenario, as web applications usually rely on SSL for many good reasons: No coding is required and its pretty secure. But of course, it is technically feasible to implement encryption of all messages exchanged with the server on your own.
Letting aside the pure coding work (encryption libraries also exist for flutter), the key problem is to get the certificate and the private key into the application. Loading the certificate from the server without prior authentication (like the web app itself or all assets) would be a major security flaw, because then an attacker could also easily download the certificate/private key.
The only secure way I can think of, is to obtain the certificate and private key form the client computer. Unfortunately, a flutter web app - like every JavaScript app - is running in a Sandbox within a Browser, which puts major constraints on the application - for good Browser security reasons. Due to this sandbox, the flutter web app CANNOT access the Mac OS keychain directly.
But you can let the user pick a file with the certificate and private key. This is described here:
How to Pick files and Images for upload with flutter web

Trace HTTPS Web API calls from iPhone App

I am working with an iPhone application which interacts with a Web API. Since the endpoints are HTTPS, the data which communicates in-between the device and the Web API are suppose to be encrypted.
I am in need of finding every End-Points and the Data which communicates (Headers, Body Content) for each business scenario & for negative testing-flows.
Since the data which transmits are encrypted, I was unable to trace from the Fiddler which I tried while referring so several on-line tutorials.
(The reason why I am in need is because of I have got assigned to make a API Automation tool to simulate all the testing scenarios (happy-path, negative test-cases, etc))
Is there any better approach I can take to trace these API calls?
OR, is there a tool which I can try to trace these Web API calls which sends and receives from the iPhone?
TIA
Managed to get the Certificates for the HTTPS endpoints and added to the Certificate Manager (in a windows pc). Afterwards configured the proxy ports with fiddler echo service from the mobile device and was able to trace the HTTPs calls.
With the help of installing the certificates the HTTPS, intercepting the HTTPS is possible.

Is there any proxy software (like proxifier) which can use Kerberos authentication?

My company uses PAC file to restrict any outgoing traffic through proxy server. The problem is, a lot of software does not provide the option to 'use IE setting', so that they cannot be connected to the internet.
I checked this PAC file up and found the right proxy server. But after I tried to use the proxy setting for these IE-unfriendly software, they still cannot get online. I used chrome to capture some packages and found the http header containing some Negotiation data. So I assume this proxy server uses some auto login mechanism like NTLM or kerberos.
But after I downloaded the famous Proxifier and tried to reroute the net traffic for some software, NTLM method did not work. I get the 502 error. Bummer...
Any hero comes to help! Am I thinking in the wrong way? Merci beacoup!
This is not a programming question but, did you try
cntlm (http://cntlm.sourceforge.net/) or
ntlmaps (http://ntlmaps.sourceforge.net/)?
Hope this helps

Create a UCMA 3.0 endpoint to a SIP PSTN gateway WITHOUT using Lync

I want to use UCMA 3.0 (standalone, without Lync) to create an IVR application as modeled in the SDK docs:
http://msdn.microsoft.com/en-us/library/gg448007.aspx
I'd like a code snippet that demonstrates how to create the endpoint to a SIP PSTN Gateway so people can dial in from a regular phone and the app will pick up. I have the user name, password, and domain from the SIP provider. I could not find in any of the samples an actual code example of the model described in the link above.
Actually, the Visual Studio template included with UCMA already handles this (albeit in an ultra confusing way). If you create a new project and hit F5 it will start a standalone application listening on port 5060.
What it doesn't handle is SIP registration. For that you'll need to put a proxy server between your app and your provider. Check out http://www.brekeke.com/sip/, they offer a low-cost SIP server that can register against your SIP provider.

Node.js and wss://

I'm looking to start using javascript on the server, most likely with node.js, as well as use websockets to communicate with clients. However, there doesn't seem to be a lot of information about encrypted websocket communication using TLS and the wss:// handler. In fact the only server that I've seen explicitly support wss:// is Kaazing.
This TODO is the only reference I've been able to find in the various node implementations. Am I missing something or are the websocket js servers not ready for encrypted communication yet?
Another option could be using something like lighttpd or apache to proxy to a node listener, has anyone had success there?
TLS/SSL support works for this websocket implementation in Node.js, I just tested it: https://github.com/Worlize/WebSocket-Node/issues/29
Well you have stream.setSecure() and server.setSecure().
I'm guessing you should be able to use one of those (specially the last one) to use TLS in websockets since in the end a websocket is just a normal http connection "upgraded" to websocket.
Using TLS in the normal http server object should theorically also secure the websocket, only by testing this can be confirmed.