diff options
author | Vincent Ambo <tazjin@google.com> | 2020-02-09T21·24+0000 |
---|---|---|
committer | Vincent Ambo <tazjin@google.com> | 2020-02-09T21·24+0000 |
commit | 0bc2f8995eb6ebcd13a33282520f724451630a36 (patch) | |
tree | 45ce8228d4ad3f81b41931ac7290797c6a0217dc /web/blog/posts/reversing-watchguard-vpn.md | |
parent | 30e8f59d0262e28c0fb06eac739ca141ebad2847 (diff) |
style(web/blog): Minor formatting fixes in Watchguard post r/520
Diffstat (limited to 'web/blog/posts/reversing-watchguard-vpn.md')
-rw-r--r-- | web/blog/posts/reversing-watchguard-vpn.md | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/web/blog/posts/reversing-watchguard-vpn.md b/web/blog/posts/reversing-watchguard-vpn.md index 49e9ffa908d7..f1b779d8d993 100644 --- a/web/blog/posts/reversing-watchguard-vpn.md +++ b/web/blog/posts/reversing-watchguard-vpn.md @@ -1,4 +1,4 @@ -**Update**: WatchGuard has +TIP: WatchGuard has [responded](https://www.reddit.com/r/netsec/comments/5tg0f9/reverseengineering_watchguard_mobile_vpn/dds6knx/) to this post on Reddit. If you haven\'t read the post yet I\'d recommend doing that first before reading the response to have the proper context. @@ -50,9 +50,9 @@ important: I started with the first one -`%@?action=sslvpn_download&filename=%@&fw_password=%@&fw_username=%@` + %@?action=sslvpn_download&filename=%@&fw_password=%@&fw_username=%@ -and just =curl=ed it on the VPN host, replacing the username and +and just curled it on the VPN host, replacing the username and password fields with bogus data and the filename field with `client.wgssl` - another string in the executable that looked like a filename. @@ -64,7 +64,7 @@ after logging in to the web UI - oh well. The next endpoint I tried ended up being a bit more interesting still: -`/?action=sslvpn_logon&fw_username=%@&fw_password=%@&style=fw_logon_progress.xsl&fw_logon_type=logon&fw_domain=Firebox-DB` + /?action=sslvpn_logon&fw_username=%@&fw_password=%@&style=fw_logon_progress.xsl&fw_logon_type=logon&fw_domain=Firebox-DB Inserting the correct username and password into the query parameters actually triggered the process that sent a token to my phone. The |