#23 CONNECT command creates always SSL connection



I just stumbled across a problem concerning Proxy clients that are using the CONNECT command for establishing a direct tunneled connection through WebScarab.
The current implementation assumes that such connections are always TLS connections - which sometimes is not the case.

The problem is that the host specified by the CONNECT command does not contain a protocol scheme, therefore we have to guess (or may be try-out?) if the destination port expects an TLS or plain TCP connection. The only available indicator for guessing the protocol scheme is the port number.

Therefore I see three possible options:
1. By default all tunnel connections are assumed to be HTTPS connections, only for common HTTP ports like 80 we use a plain HTTP connection.
2. By default all tunnel connections are assumed to be HTTP connections, only for common HTTPS ports like 443 we use a SSL/TLS encrypted HTTP connection.
3. By default all tunnel connections are assumed to be HTTPS connections. We try to establish the connection and if that fails we fall back to HTTP.

Option 1 and 2 are easy to implement (my modified WebScarab uses option 2). Option 3 needs a bit mor work and I don't know if it implies further problems.

Affected class: org.owasp.webscarab.model.Request
public void parse(StringBuffer buff);
public void read(InputStream is, HttpUrl base);



  • jpstotz

    jpstotz - 2008-01-25

    Modified version class of org.owasp.webscarab.model.Request

  • Rogan Dawes

    Rogan Dawes - 2008-01-25

    Logged In: YES
    Originator: NO

    Can I suggest we take these discussions/reports to the mailing list? It is rather tedious to have to go via SourceForge all the time.


  • jpstotz

    jpstotz - 2008-01-25

    Logged In: YES
    Originator: YES



Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks