I want to block some sites with my proxy by responding with 403. I succeeded with responding in such a way in an HTTP proxy, but when I get the CONNECT method, I respond with:
HTTP/1.1 403 Forbidden
Status: 403 Forbidden
Proxy-agent: smth
Connection: close
But users still get the ERR_TUNNEL_CONNECTION_FAILED. What can I do to provide users with a nice 403 error?
RFC 2817 does not disallow 4xx codes, and the Draft has the section "4. Extensibility" that states that
"The tunneling handshake is freely extensible using the HTTP/1.x headers;"
But it looks like all browsers decided to just ignore almost every non-2xx codes for security reasons.
Here are some bugs reports:
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565641(v=vs.85)
Internet Explorer 8 has a feature that ensures that the secure connection is made all the way to the target server. If it isn't, then no page is displayed.
https://bugzilla.mozilla.org/show_bug.cgi?id=479880
I realize that I'm way late to the party here, but [...] this fix is terrible for proxy admins (myself included). Our proxy returns a 403 forbidden for filtered SSL content and an error page about why the content is blocked, and Firefox just drops all of it on the floor
https://bugs.chromium.org/p/chromium/issues/detail?id=7338
So that's the way it is.
Related
I want connection to a websocket server wss://fm.missevan.com:3016/ws。i use online websocket tool http://www.websocket-test.com to do it, but in edge browser, it's response is ok and in chrome ,the response is 403 forbidden.
Actually, i use GO language to connection wss://fm.missevan.com:3016/ws,I tried many websocket library but all failed.
I checked the request header of connected browser, there are no special fields. so who can analyze the reason of this, thanks
I am working on a RESTful web application using Go + gorilla/mux v1.4 framework. Some basic security testing after a release revealed an Open URL Redirection vulnerability in the app that allows user to submit a specially crafted request with an external URL that causes server to response with a 301 redirect.
I tested this using Burp Suite and found that any request that redirects to an external URL in the app seems to be responding with a 301 Moved Permanently. I've been looking at all possible ways to intercept these requests before the 301 is sent but this behavior seems to be baked into the net/http server implementation.
Here is the raw request sent to the server (myapp.mycompany.com:8000):
GET http://evilwebsite.com HTTP/1.1
Accept: */*
Cache-Control: no-cache
Host: myapp.mycompany.com:8000
Content-Length: 0
And the response any time is:
HTTP/1.1 301 Moved Permanently
Location: http://evilwebsite.com/
Date: Fri, 13 Mar 2020 08:55:24 GMT
Content-Length: 0
Despite putting in checks for the request.URL to prevent this type of redirect in the http.handler, I haven't had any luck getting the request to reach the handler. It appears that the base http webserver is performing the redirect without allowing it to reach my custom handler code as defined in the PathPrefix("/").Handler code.
My goal is to ensure the application returns a 404-Not Found or 400-Bad Request for such requests. Has anybody else faced this scenario with gorilla/mux. I tried the same with a Jetty web app and found it returned a perfectly valid 404. I've been at this for a couple of days now and could really use some ideas.
This is not the claimed Open URL redirect security issue. This request is invalid in that the path contains an absolute URL with a different domain than the Host header. No sane client (i.e. browser) can be lured into issuing such an invalid request in the first place and thus there is no actual attack vector.
Sure, a custom client could be created to submit such a request. But a custom client could also be made to interpret the servers response in a non-standard way or visit a malicious URL directly without even contacting your server. This means in this case the client itself would be the problem and not the servers response.
I've written a proxy that provides tunnelling for secured connections. However, the proxy tends to redirect (non-secured, HTTP GET) connections to a redirected page if the site being accessed is invalid. It does it by returning a "HTTP/1.0 302 Moved Temporarily" message. Will returning a HTTP/1.0 302 Moved Temporarily to a HTTP CONNECT also result in the same browser behaviour?
I've tried and it doesn't work as expected.
Therefore I was wondering if anyone could suggest the correct way of asking a HTTP CONNECT request to redirect to a different page?
If the site being accessed is invalid, you probably want to do something other than a 302 redirect. Where would you redirect to? A 302 redirect should probably only be passed back to the client from the destination site itself, but in that case it would still be a valid site.
If the site the client is requesting is not accepting connections, you should probably return a 502 Bad Gateway error to the client. See:
https://www.rfc-editor.org/rfc/rfc2616#section-10.5.3
If you can actually connect to the destination site, you should return a 200 OK to the client and then whatever the destination site returns over the proxied connection.
I have a local site running ASP.Net MVC 3 over HTTP and HTTPS through IIS Express.
The HTTP url is http://localhost:4000 and the HTTPS is https://localhost:44301.
I'm trying to hook up the Stripe payments API but it really does not like the port, protocol and domain mismatch. I've tried using CORS to tell it to trust stripe.com but it seems that it is due to the port mismatch and I cannot figure out how to tell it to ignore that.
Adding the following header does not product any difference.
Access-Control-Allow-Origin:*
When accessing my payment page via HTTP, I get the following:
Blocked a frame with origin "https://checkout.stripe.com" from
accessing a frame with origin "http://localhost:4000". The frame
requesting access has a protocol of "https", the frame being accessed
has a protocol of "http". Protocols must match.
It gets worse when using SSL as my local SSL port is not 443.
How do I tell CORS to ignore the port mismatch whilst in development?
You can disable same origin policy while in development. Load chrome with the following argument:
--disable-web-security
https://stackoverflow.com/a/6083677/287760
Didn't the error message tell you the problem? Use HTTPs.
I still get this message my live site:
Uncaught SecurityError: Blocked a frame with origin "https://checkout.stripe.com" from accessing a frame with origin "https://getaddress.io". Protocols, domains, and ports must match.
..everything still works so I wouldn't worry about it. There's not much you can do about the domains being different.
I'm wondering if an invalid or expired SSL certificate could cause some ajax posts via Firefox to fail (not all ajax posts, some are successful)? I'm trying to determine the cause of my ajax request via firefox to be aborted (and is not seen in other browsers). If I'm using Fiddler, the post does work too.
Yes, attempting to connect to an HTTPS site that has an invalid certificate (for whatever reason) with a XHR request will make this request fail. Unlike direct requests, it won't be able to display the usual certificate warning message to ask you whether you want to proceed.