HTTP traffic eavesdropping

Data transmission between client and server cannot be done without HTTP. However, is HTTP transmission completely secure? The answer is definitely not

This article introduces the security problems and defense in the process of HTTP data transmission

This section describes the HTTP transmission process

  • The client

Apps, websites, and small programs used by users

  • link

The process of sending data requests from clients to back-end services may pass through network nodes such as load balancers (ELBs), dedicated lines, and network rules (VPCS)

  • The service side

Respond to and save client request data

Generally speaking, HTTP protocol is transmitted in plaintext. When the front-end and back-end initiate HTTP requests, they will pass through various gateways, nodes, special lines, etc., and finally reach the target server. But in the transmission process of the node, it is possible to obtain HTTP transmission information, data can be arbitrarily eavesdropping and tampering! This is where HTTP plaintext transport falls short.

If the security of the transport layer is not guaranteed, XSS and CSRF defense measures in the system are meaningless.

HTTP transmission eavesdropping hazard

hacking

  • Eavesdropping on sensitive user information

As long as the user’s sensitive information is transmitted over the network, it can be accessed. For example, the login account and password of the bank; Email content, etc.

Tampering with the website

  • Change the site information and insert ads
  • Redirects a user to a secure website
  • Advertising carrier hijacking
  • Public wifi access password

Analysis of Attack Ideas

  • Run projects online that can be accessed via HTTP
  • The proxy service

Users normally access A system A deployed in the cloud through the client, and reach the target server through some nodes and network management during the whole access process. Although there are many links in the transmission layer, most of these links are the products of XX cloud or self-deployed by developers, and the links are relatively controlled and secure. If another uncontrolled and insecure proxy server is added to the entire transmission process? Here are a few examples: 1. Public wifi 2. 4. The attacker claims to be a fast and secure proxy server…

These are through the proxy server to access the target server, then you can do processing in the proxy server, to eavesdrop, tamper with user data. HTTP traffic eavesdropping occurs on proxy servers.

practice

Nodejs proxy tool library – AnyProxy is mainly explained

Ali open source proxy server, used for mobile terminal capture package testing official address :github.com/alibaba/any…

Anyproxy profile

AnyProxy is an open source proxy server developed by Alibaba based on Node.js. The proxy server stands in the middle between the client and the server, and it can collect every bit of communication between the two sides. A complete proxy request process is as follows: the client first creates a connection with the proxy server, and then, depending on the proxy protocol used by the proxy service, requests to create a connection to the target server or to obtain the specified resources of the target server. Some proxy protocols allow the proxy server to change the client’s original request and the target server’s original response. AnyProxy is a proxy server that can be flexibly configured. It supports HTTPS plaintext proxy, and provides a Web interface to facilitate the observation of requests, while supporting secondary development, you can use JavaScript to control the whole process of proxy, build front-end personalized debugging environment.

features

  • HTTPS plaintext proxy is supported
  • Support low network speed simulation
  • Support secondary development, you can use javascript to control the entire process of the proxy, build front-end personalized debugging environment
  • Provides a Web page for viewing requests

Install && start && configuration agent

1. Global installation

npm install -g anyproxy
Copy the code

2. Start by default

Anyproxy # starts port 8001 by default#or
anyproxy --port 8001
Copy the code



3. Visual access

PC accesshttp://127.0.0.1:8002/To access the visualized web page



After this step, anyProxy is configured and the browser proxy is configured

4. Configure the Chrome Proxy

A. Rome – Settings – Advanced – Open agent Settings for your computer



B. Proxy – Use proxy server – Configure IP address :127.0.0.1 Port: 8001

use

After visiting the target URL, you can see the transmitted data on anyProxy’s visual interface

All transmitted data is accessible and modifiable to the proxy server when accessing the target server through the proxy server.

Rules of the module

The rules module is a feature of AnyProxy. Middleware, so to speak, in which you write your own code to eavesdrop on and tamper with requests at any stage of transmission. The official simplified version of request_header.js

/* sample: modify the user-agent in requests toward httpbin.org test: Curl http://httpbin.org/user-agent --proxy http://127.0.0.1:8001 */
module.exports = {
  *beforeSendRequest(requestDetail) {
    if (requestDetail.url.indexOf('http://httpbin.org') = = =0) {
      const newRequestOptions = requestDetail.requestOptions;
      newRequestOptions.headers['User-Agent'] = 'AnyProxy / 0.0.0';
      return {
        requestOptions: newRequestOptions }; }}};Copy the code

Response_header.js

/* sample: modify response header of http://httpbin.org/user-agent test: Curl -I 'http://httpbin.org/user-agent' --proxy http://127.0.0.1:8001 Expected Response: x-proxy-by: AnyProxy */
module.exports = {
  *beforeSendResponse(requestDetail, responseDetail) {
    if (requestDetail.url.indexOf('http://httpbin.org/user-agent') = = =0) {
      const newResponse = responseDetail.response;
      newResponse.header['X-Proxy-By'] = 'AnyProxy';
      return {
        response: newResponse }; }}};Copy the code

Then configure the rules in the proxy server, you can complete the proxy server setup

var proxy = require("anyproxy");

//create cert when you want to use https features
//please manually trust this rootCA when it is the first time you run it! proxy.isRootCAFileExists() && proxy.generateRootCA();var options = {
    type          : "http".port          : 8001.hostname      : "localhost".rule          : require("path/to/my/ruleModule.js"),// Proxy rule
    dbFile        : null.// optional, save request data to a specified file, will use in-memory db if not specified
    webPort       : 8002.// optional, port for web interface
    socketPort    : 8003.// optional, internal port for web socket, replace this when it is conflict with your own service
    throttle      : 10.// optional, speed limit in kb/s
    disableWebInterface : false.//optional, set it when you don't want to use the web interface
    setAsGlobalProxy : false.//set anyproxy as your system proxy
    silent        : false //optional, do not print anything into terminal. do not set it when you are still debugging.
};
new proxy.proxyServer(options);
Copy the code

Through analysis, in the rule code logic can eavesdrop, save, tamper with the user through the proxy server to access the target server request and response data. From this association, wifi in public places, access to foreign proxy servers… Once exploited by attackers, there is no data security for users.

HTTP transmission eavesdropping defense

Sensitive data encryption

The more complex the encryption method, the more secure it is. According to the need, common MD5 (irreversible), AES (reversible) free collocation, and then add special symbols.

HTTPS

HTTP+TLS(SSL)=>HTTPS Based on the HTTP protocol, SSL or TLS is used to encrypt data, verify the identity of the peer, and protect data integrity.

HTTPS features

  • Content encryption – the use of mixed encryption technology, the middle can not directly view the plaintext content.
  • Authentication – The CA certificate is used for authentication. The target server accessed by the client is an authenticated server
  • Protect data integrity – Prevent data from being tampered with during transmission

Client – Middle tier – Target server The middle tier can decrypt the data sent by the browser and then encrypt it and send it to the server. But it also carries the risk of HTTP eavesdropping and tampering. This is where the certification process comes in. Encryption and decryption must be trusted – CA certificate mechanism. The browser has a built-in trust list that identifies whether the target web server is secure and trustworthy. The target server needs to apply for a CA certificate from the CA certificate issuing organization. When accessing a website with a certificate, the browser compares the domain name of the target server with the trust information of the CA certificate. If the trusted website is accessed, the website can be accessed normally.

CA Certificate Functions

  • Confidentiality – Only the recipient can read the message.
  • Authentication – Verifies the identity of the sender of the message.
  • Integrity – Information will not be tampered with during transmission.
  • Non-repudiation – The sender cannot deny a message that has been sent.
  • Ensure the security of the data exchange between requestor and server

CA certificate security principles

  • Certificates cannot be forged
  • The certificate key is not leaked
  • Domain name management rights cannot be disclosed
  • CA organizations adhere to the principle of validating domain names

The resources

Npm-anyproxy Baidu Encyclopedia – HTTPS Baidu Encyclopedia -CA certificate