#3 Arbitrary MITM Configuration (Question)

closed
nobody
None
5
2006-04-21
2006-04-15
Strace
No

I am preparing a presentation for BlackHat and would
like your feedback on an issue. It has to deal with a
non-typical Paros configuration that greatly
increases the offensive power of Paros.

If you would kindly comment, I will include it in my
presentation, and mention any bugfix (if any) that is
planned. If this is a feature (that's just not widely
talked about) feel free to comment that no bugfix is
planned or needed. Or, is this a misuse of Paros that
can not be prevented.

Issue:

Paros has a local Proxy. I assume that this proxy is
not meant to proxy arbitary users, but users who have
configured their browsers to use Paros. If I
configure a URL rewriting proxy to point at Paros as
its outbound proxy server (on localhost:8080), then I
can Man-In-the-Middle any user on the internet's Web
Sessions provided that I can redirect or 'phish' into
pointing at my external URL Rewriting proxy server.

Impact:

With an upstream URL Rewriting proxy server running
on the same host as Paros, I can indescriminately
MITM any session with zero user configuration (from
the victims perspective).

They visit my proxy (which proxies through Paros) and
their entire session is logged and can be
manipulated.

Questions:

Is Paros' 'Local Proxy' configuration intended for
this?

Is this just a feature of Paros (which I have been
told) and that its nothing new or original, because
Paros is a MITM proxy.

Is this abuse of a Paros functionality, a bug, or
just a misuse that can not be prevented.

Note: I realize the difficulty of preventing this
configuration, but I wanted to notify you in the
event that you had an opinion one way or another, or
wanted to take action, one way or another.

Configuration Details

URL Rewriting Proxy (URP) on host X
-configure outbound proxy for localhost:8080

Paros on host X
-no special configuration needed

Results: Anyone who visits URP is MITM'd silently,
without any evidence of it happening.

Thanks.

-strace

Discussion

  • Strace

    Strace - 2006-04-17

    Logged In: YES
    user_id=1485211

    I verified this with paros 3.2.9, but I haven't tried with
    other versions.

    strace

     
  • Nobody/Anonymous

    Logged In: NO

    I've already answered in the mail to you. Incorrect
    certificate warning will be displayed in the browser.

    parosproxy.org

     
  • Mike

    Mike - 2006-04-21
    • status: open --> closed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks