What is HTTPSReverseProxy
HTTPSReverseProxy is a HTTPS reverse proxy server written in C#. When it is started it listens on the regular HTTPS port (443), waits for incoming requests and forwards these to the server that is defined in the HTTP request headers Host directive. But instead of just forwarding requests it is also possible to modify the request itself or the responses sent back by the real web server.
What is it useful for?
You can use a reverse proxy in multiple ways. You put it inside a perimeter network where it handles the incoming requests as load balancer or you use it as an additional security layer. The reverse proxy sits between the requesting client and the real server.
Possible security impacts
HTTPSReverseProxy accepts HTTPS requests and forwards these to the real web server. Because it sits between the client and the real web server HTTPSReverseProxy is in the powerful position to modify the requests and the responses. Even if the client encrypts all the data before sending it to the server at the entry point of the reverse proxy the data is decrypted and we can read it. This way it is possible to read sensitive data like session cookies (Session Sidejacking) or usernames and passwords.
How can you modify the data stream
| HTMLMAP | Modify HTML content sent back by the real web server. |
| HTMLMAP||https://login.skype.com/intl/||http://www.skype.com/LoginSkypeCom | |
| REQMAP | Modify the requested URL before it is sent to the real web server. |
| REQMAP||http://www.skype.com/SSCA||https://login.skype.com/account/login-form?intcmp=sign-in | |
| LOCMAP | Modify the HTTP Location header that was generated by the real web server. |
| LOCMAP||https://secure.skype.com/account/?intcmp=sign-in||http://www.skype.com/SSCA | |
| REDMAP | Send back a HTTP 302 message with a new location where the client subsequently will connect to. |
| REDMAP||http://www.skype.com/||http://www.microsoft.com | |
Security impacts on …
While writing the reverse proxy server I did some tests with popular sites where users have to log in and type in their user name and password. These sites have an Alexa rank < 250.
| www.badoo.com | Vlunerable. They don’t use HTTPS. |
| www.dropbox.com | Vulnerable. HTTPS can be circumvented |
| www.facebook.com | Vulnerable. HTTPS can be circumvented. |
| www.google.com | Not vulnerable. Too complex. |
| www.linkedin.com | Vulnerable. HTTPS can be circumvented |
| www.paypal.com | Internet Explorer is vulnerable |
| www.skype.com | Vulnerable. HTTPS can be circumvented |
| www.statcounter.com | Vlunerable. They don’t use HTTPS. |
| www.twitter.com | Vulnerable. HTTPS can be circumvented |
| www.wordpress.com | Vulnerable. HTTPS can be circumvented. |
| www.xing.com | Vulnerable. HTTPS can be circumvented. |
| www.yahoo.com | Not vulnerable. Too complex. |
How can I protect myself
- Whenever possible use HTTPS instead of HTTP. No matter if you’re using the Internet at home or somewhere else.
- Because people forget rule one too often install the HTTPS Everywhere plugin for Google Chrome and Firefox.
- If you dont use Google Chrome or Firefox and you want to avoid troubles then get one of these browsers and install HTTPS Everywhere.
- If you are connected to the Internet via a public network and you can’t establish connections via HTTPS be aware that for an attacker reading your username and password is no big deal. Think before you click.
- If the browser shows an warning that the web page you want to open is using a certificate that can’t be trustet and it is a well known page you want to open then don’t open it.
Feedback
In case you encounter any problems with the tool, you find a bug, you have suggestions to improve it, or you tested it with a Windows version i’ve not yet tested please drop me an email.
Where can I download it
 Version 0.1 – Binary |