HTTP proxies such as WebScarab, Paros, and Burp make it easy to inspect and intercept normal web application traffic. But what can you do when your web application isn't "normal"? Maybe the client is not a standard web browser with configurable proxy settings. Maybe an ActiveX object is used to send non-HTTP traffic. Perhaps the application can't even be installed on a personal computer, but instead resides on a mobile or embedded device. In these situations, having the right proxy tools and a computer running Linux can be the difference between zero vulnerability findings and uncovering critical design flaws in a short period of time. This presentation will cover advanced "man in the middle" techniques that can be used to intercept any TCP stream (including those protected with SSL/TLS) using a new transparent TCP proxy developed by Intrepidus Group. These techniques can be used to uncover server and client side bugs that might otherwise go unnoticed without a lengthy reverse engineering project. In addition to discussing tools and techniques, this presentation will also discuss real world programming flaws and vulnerabilities they've been used to uncover.