This question already has answers here:
How to create Man in the Middle instrumentation
(3 answers)
Closed 8 years ago.
We seem to be going round in circles a bit at the moment. We are looking for simple light weight, preferably ruby based proxy that enables us to do the following.
Proxy HTTPS requests between a browser and a Web app. e.g. GMail
Intercept and modify the request/responses - Man in the Middle modification
Generate on the fly SSL certs (or maybe us pre-configured) for use between the proxy and the browser
Using Ruby, we've experimented with em-proxy and Goliath but I don't think these are quite the right fit.
Any suggestions would be very much appreciated.
Best Regards,
Carlskii.
There is also mitmproxy written in Python.
Fiddler can do this, although it's not Ruby-based.
There is also nice looking multiplatform http://www.charlesproxy.com/ with SSL support. It's in java/native code. It's closed-source paid app with free trail.
You can try https://github.com/odcinek/mallory it is more recent though not as fully mature as the previously mentioned other language proxies, this one however IS written in ruby.
Another alternative.
Burp Proxy, freemium, closed source written in java.
Burp Proxy is an interactive HTTP/S proxy server for attacking and
testing web applications. It operates as a man-in-the-middle between
the end browser and the target web server, and allows the user to
intercept, inspect and modify the raw traffic passing in both
directions.
Burp Proxy allows you to find and exploit application vulnerabilities
by monitoring and manipulating critical parameters and other data
transmitted by the application. By modifying browser requests in
various malicious ways, Burp Proxy can be used to perform attacks such
as SQL injection, cookie subversion, privilege escalation, session
hijacking, directory traversal and buffer overflows.
https://github.com/lightbody/browsermob-proxy open-source, well-known solution written in java, can be configured on-the-fly using REST API or Java API
Related
I have two applications which I cannot change:
A: provides a URL protected by HTTP basic auth.
B: needs to access this URL but does not support basic auth.
Credentials are available.
How can I make my two applications work together?
I thought a local proxy might be great which injects the authentication. E.g. using socat:
socat TCP4-LISTEN:81,reuseaddr,fork TCP:UrlToA:80,<inject-basic-auth>=user:pass
However, socat does not provide an option like < inject-basic-auth >. Anybody knows any tool that might help? Any other way out?
You must set up a HTTP reverse proxy server that does the authentication for you. No need to hack any software.
Your reverse proxy listens on some socket (e.g. proxy:8080) and forwards requests to your actual application A, inserting the headers.
client_B ----> http://proxy:8080 -----> http://server_A:80
Nginx is lightweight, high performance and easy to set up. And it's easy to find docs online for what you want.
See for example http://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
This problem seems to be very specific. So you probably won't find a ready-to-use tool.
If you want to do it yourself, your best approach is probably to extend socat:
http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
Good luck!
I'm interested in having clients, on iOS/OS X platforms using Cocoa, having secure transaction with a dedicated server. I'm looking for the easiest and most 'proper' use of the fancy highly abstracted APIs that Apple has developed. An example of what I'm talking about with those "fancy" APIs is that https is implemented "for free" and could suit my purposes - except that I don't know how to implement the corresponding server portion of that?
The network messages basically need to be a secure session where a client can create an account, or log in with that account, can send a request to the server, and receive a response from the server. The traffic is low volume, latency is OK, most important thing is to implement confidentiality and to make my software effort as short as possible.
The server will be on FreeBSD and will either run Cocoa via Cocotron or can use some other technology you mention that would make development faster. The computation being done on the server is minimal, requires db intfc, etc.
On the client side, NSURLRequest and NSURLConection all support HTTPS mode. You could also try third party libraries such as ASIHTTPRequest.
On the server side, I'm not sure what you mean by "The server will be on FreeBSD and will either run Cocoa via Cocotron". Are you saying that your server will be written in Objective-C and using Cocoa API? I'm not really sure why you want to do something like that. If the code on server is minimal, why not use the Apache server combined with mod_ssl and perhaps PHP to get it done? PHP is excellent for quick and dirty server. You can also use django / rails and other established frameworks (all of which support HTTPS) if those suit your need better.
I have a socket app that needs to have support for SOCKS 4 and 5 proxy connections, since my users may be behind firewalls. I am using WPF and C# 3.5 SP1. I see no options in the default Socket class for proxys, do I have to roll my own?
I'd prefer not to use 3rd party libs if possible - how difficult is it to enable proxy support with a standard C# Socket?
It is not terribly hard but you have to read through a couple of RFCs. You need to read the RFC spec on Socks v4, Socks v4a and Socks v5. I wrote a library that will do all the work for you but if you would rather write you own that is cool too. My library was mentioned in the previous post (Starksoft). You can implement the Socks protocol using a standard TcpClient object or a Socket connection. The TcpClient is easier. You simply need to send the commands immediately after connection to your proxy server. Those command will instruct the proxy server what final end point you are interested in connecting to. There is also specs for a UDP Socks connection but it sounds like you won't be needing that.
You can find all the RFCs and generation information on wikipedia. I can't post more because this crazy stackoverflow site limits the number of hyperlinks I am allowed to 1 since I am not a regular user. Very annoying.
http://en.wikipedia.org/wiki/SOCKS
Finally, you can rip off my code if you like since it is under the MIT license and I let you do that kind of thing. :) Take at look at my class Socks4ProxyClient.cs that implements the Socks v4 protocol. The method of most interest to you is named SendCommand() located on line 282. You can find my code at Google Code. Search for Starksoft. Or you can go to my web site directly and I have link to the source code in Google.
Socks5 implementation is a little trickier with more options to specify and a little more chatter to the server but basically very similar to Socks4.
Good luck and you should implement a solution yourself if you want to learn Socks. So, kudos to you!
Benton
You could ask google for some info. One of the first links will lead you to Mentalis.org and their free proxy implementation. They were once well known for their free network and security stuff but the projects seem to not being maintained for a while.
But it might be worth a look anyway.
I know you said that you did not want to use 3rd party librarys if possbile, but I would like to recommend this http://www.starksoft.com/prod_proxy.html.
I would like to setup a http proxy on my work machine (no admin rights, WinXP) to only allow access to a whitelist of URLs. What would be the easiest solution? I prefer open-source software if possible.
Squid seems to be the de facto proxy. This link describes how to set it up on a windows box: http://www.ausgamers.com/features/read/2638752
Why not use the Content Advisor in IE? You can provide a list of approved sites, anything else is blocked. Or do you want pass-through functionality like a true proxy?
Content advisor will ask for authorization every time a javascript function is called. At least that's my experience right now, and that's how I landed here, after hours of googling.
You are right, however, if the sites in the whitelist don't use javascript intensively and I would suggest that that option be tried first because (and I'm an IT person), it's FAAAAAAAAR easier to set up Content Advisor than a proxy server. Google "noaccess.rat" and you'll come accross articles that tell you how to set up IE using a white-list approach.
Having said this, however, you must be fully aware that Content Advisor can be easily disabled, even without knowing the password. One of my users did it in no time. You can find this in google as well.
Alex
I've always wanted a way to make a socket connection to a server and allow the server to manipulate the page DOM. For example, this could be used in a stock quotes page, so the server can push new quotes as they become available.
I know this is a classic limitation (feature?) of HTTP's request/response protocol, but I think this could be implemented as a Firefox plugin (cross-browser compatibility is not important for my application). Java/Flash solutions are not acceptable, because (as far as i know) they live in a box and can't interact with the DOM.
Can anyone confirm whether this is within the ability of a Firefox plugin? Has someone already created this or something similar?
You may want to look at Comet which is a fancy name for a long running HTTP connection where the server can push updates to the page.
It should be possible. I have developed a xulrunner application that connects to a TCP server using sockets. Extension development would likely have the same capabilities. I used a library from mozdev - JSLib. Specifically check out the networking code. The fact that there is a Firefox add-on for JSlib add-on for Firefox makes more more confident.
Essentially, as I understand it, sockets are not part of JavaScript, but through XPCOM, you can get raw socket access like you would in any c/c++ application.
Warning: JSLib doesn't seem to receive a lot of attention and the mailing list is pretty sparse.
Java/Flash solutions are not acceptable, because (as far as i know)
they live in a box and can't interact with the DOM.
That's not actually true of Java. You can interact with Java via JavaScript and make DOM changes.
http://stephengware.com/proj/javasocketbridge/
In this example there are two JavaScript methods for interaction
Send:
socket_send("This was sent via the socket\n\n");
Receive:
on_socket_get(message){ more_code(message); }
You may want to look at Comet
a.k.a. server push. This does not let the server "update" the client page directly, but all the new data is sent to the page through a single connection.
Of course, a Firefox extension (as well as plugins, which are binary libraries that can do whatever any other application can do) can work with sockets too. See 1, 2.