Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#23 CONNECT command creates always SSL connection

open
Rogan Dawes
5
2008-01-25
2008-01-25
jpstotz
No

Hi,

I just stumbled across a problem concerning Proxy clients that are using the CONNECT command for establishing a direct tunneled connection through WebScarab.
The current implementation assumes that such connections are always TLS connections - which sometimes is not the case.

The problem is that the host specified by the CONNECT command does not contain a protocol scheme, therefore we have to guess (or may be try-out?) if the destination port expects an TLS or plain TCP connection. The only available indicator for guessing the protocol scheme is the port number.

Therefore I see three possible options:
1. By default all tunnel connections are assumed to be HTTPS connections, only for common HTTP ports like 80 we use a plain HTTP connection.
2. By default all tunnel connections are assumed to be HTTP connections, only for common HTTPS ports like 443 we use a SSL/TLS encrypted HTTP connection.
3. By default all tunnel connections are assumed to be HTTPS connections. We try to establish the connection and if that fails we fall back to HTTP.

Option 1 and 2 are easy to implement (my modified WebScarab uses option 2). Option 3 needs a bit mor work and I don't know if it implies further problems.

Affected class: org.owasp.webscarab.model.Request
methods:
public void parse(StringBuffer buff);
public void read(InputStream is, HttpUrl base);

Jan

Discussion

  • jpstotz
    jpstotz
    2008-01-25

    Modified version class of org.owasp.webscarab.model.Request

     
    Attachments
  • Rogan Dawes
    Rogan Dawes
    2008-01-25

    Logged In: YES
    user_id=438260
    Originator: NO

    Can I suggest we take these discussions/reports to the mailing list? It is rather tedious to have to go via SourceForge all the time.

    owasp-webscarab@lists.owasp.org

     
  • jpstotz
    jpstotz
    2008-01-25

    Logged In: YES
    user_id=1008319
    Originator: YES

    OK