search

codewatchorg / jnlpdownloader

jnlpdownloader is a Python script that takes a URL to a JNLP and downloads all the associated JARs and native libraries. Another Java based tool exists that provides this functionality, but this Python version extends the capabilities to include the ability to authenticate with BASIC, DIGEST, NTLM, or cookie authentication.
BSD 2-Clause "Simplified" License
14 stars 8 forks source link

SSL connection #3

Open Hax0rG1rl opened 8 years ago

Hax0rG1rl commented 8 years ago

Hi,

Got the following issue with testing a SSL site.

/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:789: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. InsecureRequestWarning) Traceback (most recent call last): File "jnlpdownloader.py", line 146, in jnlpfile = jars.get('href').rsplit('/')[1] IndexError: list index out of range " Apparently SSL support has to be added with the original code(?)

https://urllib3.readthedocs.org/en/latest/security.html

Didn't have time to do it myself due of my personal workload.

Do you have a workaround for this?

Cheers,

-J

codewatchorg commented 8 years ago

The first message is just a warning where the script is not specifically validating the certificate. It should still run regardless.

The real error is the index out of range issue. Can you give me the full command line you used? It looks like there is something different with the JNLP file which my script does not handle correctly so it would help if I had a copy to test with.

Hax0rG1rl commented 8 years ago

Right. So, into an end I got the jar file(s) manually actually.

Because is a pentest and there is a NDR agreement, I'm not sure will be able to provide what you have requested. Will think about a workaround though which will give you the possibility to access that jnlp file.

Cheers,

-j

codewatchorg commented 8 years ago

Understood. Is there a way for you to download and modify the jnlp file such that any customer information is redacted (links, names, etc)?

Hax0rG1rl commented 8 years ago

Yeah, that option would be the one which I have to check out.

Hax0rG1rl commented 8 years ago

Hi buddy,

I just can't provide that file. Can't strip off everything so you can close the issue now. Will use the tool with next assessment and will come back eventually.

Cheers,

-J

codewatchorg commented 8 years ago

Ok, thanks for letting me know. I will leave this open until I can track down the difference in formatting that is causing this problem.

Unfortunately, I have only needed this on a handful of assessments and thus haven't had this issue and am unsure how to recreate it without an offending .jnlp file.

Thanks for at least noting the issue.