Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified which can’t be performed by wireshark.
To see inside encrypted channels, we can use tools like echo mirage. This tool allows you to see and edit the data being set and received within an SSL session. It also does a great job of looking at unencrypted traffic as well which can also be done using wireshark.
A thick client is vulnerable to the following issues:
- Improper error Handling,
- SQL injection
- Parameter tampering
- Broken Access Control
- Session Management
We have two options in echomirage:
- Launch application from echomirage (ctrl+E)
- Injecting into a running process.(ctrl+I)
Select the process for which you want to monitor the traffic. The below screenshot is the intercepted traffic of the application
In this application, sql queries were intercepted and we can try to modify the queries in order to check and perform SQL injection. In the below image, we are trying to find the version of the database being used by the application.
The query to get the version of database was executed and the result has been shown in the below image also we were able to update the whole database. This is just a basic over look about this tool and we can perform a lot more things while performing a security review over a thick client.
The Security Research Team