#4 Data Stream Manipulation

[Mike Zusman]

Proxy users need to be able to manipulate bytes as they are examined by the proxy. The problem is that different applications use different buffer lengths when writing data to the socket.

For example, a proxy user might want to search for and replace a specific string in the data stream. For example, the user might want to replace NOTEPAD.EXE with MALICIOUS.EXE.

Because the client or server that will be sending the data might use an arbitrary buffer lenght, the proxy might only have part of the string in its active buffer at any given time.

Example:

Server write: LAUNCH_EXE:NOTEPA
PROXY RECV: LAUNCH_EXE:NOTEPA
PROXY SAR: NOTEPAD.EXE NOT FOUND
PROXY WRITE: LAUNCH_EXE:NOTEPA
Server write: D.EXE&filename=test.txt
PROXY RECV: D.EXE&filename=test.txt
PROXY SAR: NOTEPAD.EXE NOT FOUND
PROXY WRITE: D.EXE&filename=test.txt

From an architectural point of view, the proxy needs to be able to accumulate data before analyzing and sending it on. The question is, how much data to accumulate?

HTTP proxies don't have this problem because the HTTP protocol is clearly defined and delimited. Proprietary protocols don't always afford this luxury.