What is HTTPReverseProxy
HTTPReverseProxy is a simple and strightforward HTTP reverse proxy server written in C#. When it is started it listens on the regular HTTP port, waits for incoming requests and forwards these to the server that is defined in the HTTP request headers Host directive. But instead of just forwarding requests it is also possible to modify the request itself or the responses sent back by the real web server. This is quite handy if you want to sniff data (like user names or passwords) that is protected by HTTPS.
What is it useful for?
You can use a reverse proxy in multiple ways. You put it inside a perimeter network where it handles the incoming requests as load balancer or you use it as an additional security layer. The reverse proxy sits between the requesting client and the real server.
Possible security impacts
HTTPReverseProxy accepts HTTP requests and forwards these to the real web server. Because it sits between the client and the real web server HTTPReverseProxy is in the powerful position to modify the requests and the responses. It can modify them that way that the client will use the insecure HTTP instead of HTTPS during the authentication process and the reverse proxy will forward the login requests via HTTPS to the real server.
Why HTTPS isn’t always the solution
HTTPS is the protocol we trust when sensitive data has to be protected from prying eyes. If the user doesn’t use HTTPS from the very beginning and unencrypted requests pass the network it is an easy game for an attacker to manipulate the data for his profit.
How can you modify the data stream
| HTMLMAP | Modify HTML content sent back by the real web server. |
| HTMLMAP||https://login.skype.com/intl/||http://www.skype.com/LoginSkypeCom | |
| REQMAP | Modify the requested URL before it is sent to the real web server. |
| REQMAP||http://www.skype.com/SSCA||https://login.skype.com/account/login-form?intcmp=sign-in | |
| LOCMAP | Modify the HTTP Location header that was generated by the real web server. |
| LOCMAP||https://secure.skype.com/account/?intcmp=sign-in||http://www.skype.com/SSCA | |
| REDMAP | Send back a HTTP 302 message with a new location where the client subsequently will connect to. |
| REDMAP||http://www.skype.com/||http://www.microsoft.com | |
Security impacts on …
While writing the reverse proxy server I did some tests with popular sites where users have to log in and type in their user name and password. These sites have an Alexa rank < 250.
| www.badoo.com | Vlunerable. They don’t use HTTPS. |
| www.dropbox.com | Vulnerable. HTTPS can be circumvented |
| www.facebook.com | Vulnerable. HTTPS can be circumvented. |
| www.google.com | Not vulnerable. Too complex. |
| www.linkedin.com | Vulnerable. HTTPS can be circumvented |
| www.paypal.com | Internet Explorer is vulnerable |
| www.skype.com | Vulnerable. HTTPS can be circumvented |
| www.statcounter.com | Vlunerable. They don’t use HTTPS. |
| www.twitter.com | Vulnerable. HTTPS can be circumvented |
| www.wordpress.com | Vulnerable. HTTPS can be circumvented. |
| www.xing.com | Vulnerable. HTTPS can be circumvented. |
| www.yahoo.com | Not vulnerable. Too complex. |
How can I protect myself
- Whenever possible use HTTPS instead of HTTP. No matter if you’re using the Internet at home or somewhere else.
- Because people forget rule one too often install the HTTPS Everywhere plugin for Google Chrome and Firefox.
- If you dont use Google Chrome or Firefox and you want to avoid troubles then get one of these browsers and install HTTPS Everywhere.
- If you are connected to the Internet via a public network and you can’t establish connections via HTTPS be aware that for an attacker reading your username and password is no big deal. Think before you click.
Feedback
In case you encounter any problems with the tool, you find a bug, you have suggestions to improve it, or you tested it with a Windows version i’ve not yet tested please drop me an email.
Where can I download it
 Version 0.1 – Binary |
| Version 0.2 – Binary |
| Version 0.3 – Binary |
| Version 0.4 – Binary |
| Version 0.5 – Binary |
javascript :/
the HTTPReverseProxy replaces the form tag and its url. if that is done with javascript this method doesnt work.
but HTTPSReverseProxy can help here. but of course the browser will show an warning that something is wrong with the certificate.
if you are patient … hopefully somewhen in autumn/winter the EXE injector should be ready. that way you can inject your own exe files into the system. you can insert your own certificates and the browser wont show an error message anymore.
What makes yahoo different from all the other big sites which seems vulnerable ?
Interesting… online security is a bit illusory it seems, thanks for the heads up!