Santy and SSL

["Ofer Shezaf" <Ofer.Shezaf () breach com>]

Since my company sells a product that decrypts SSL traffic in order to
enable intrusion detection systems to inspect it, I was looking for
examples of real world attacks hidden in SSL traffic.

As part of this research I examined Santy and found out that:
a. there are many phpBB sites protected by SSL:
I Just Googled something like: "inurl:https inurl:viewtopic
inurl:highlight", which is similar to the Santy search but also
requiring the page to be SSL protected and found 2000. Not enough to
spread a worm, but certainly enough to find some vulnerable sites to
deface.

b. Santy itself did not address SSL:
It parsed found URL using the pattern s#^http://##i (thus ignoring https
sites) and naturally also did not assume port 443 for https protocol.

Since modifying the code to handle SSL requires changing two lines, I
wondered if somebody has seen a variant or similar attack over SSL?

Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers () breach com
www.breach.com