Bug in MiTM proxy Cookie parser #428

Closed
viyatb opened this Issue May 1, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@viyatb
Member

viyatb commented May 1, 2015

@7a : I tried to use the OWTF proxy and got the following:
[!] unknown Cookie attribute: 'Expires=Fri'

On the browser I got:

Secure Connection Failed

An error occurred during a connection to control-center.1und1.de. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

This suggests that we are NOT MiTMing things properly when the target supports SSL and (maybe) sends weird cookies.

@viyatb viyatb added the Bug label May 1, 2015

@viyatb

This comment has been minimized.

Show comment
Hide comment
@viyatb

viyatb May 1, 2015

Member

This is mostly due to weird cookies which couldn't be parsed correctly in a dict object. I am looking into this :)

Member

viyatb commented May 1, 2015

This is mostly due to weird cookies which couldn't be parsed correctly in a dict object. I am looking into this :)

@marioskourtesis

This comment has been minimized.

Show comment
Hide comment
@marioskourtesis

marioskourtesis May 5, 2015

Contributor

I noticed this bug as well.

Contributor

marioskourtesis commented May 5, 2015

I noticed this bug as well.

@7a

This comment has been minimized.

Show comment
Hide comment
@7a

7a Jun 28, 2015

Member

From a new test, it looks like this is still happening (develop branch):
NOTE: The below suggests that tornado parsing of cookies in incoming requests might be breaking the request before it reaches the target, hence making many cookie tampering attempts invalid, potentially. If true, that's really bad, we need to preserve the tests of the tools that we proxy.

[!] unknown Cookie attribute: 'window.top._9d99676ef7d75c84f968a4dd0599e79f_taint_tracer.log_execution_flow_sink()'
[!] unknown Cookie attribute: '"//"'
[!] unknown Cookie attribute: 'waitfor delay '0:0:8'-- "'
[!] unknown Cookie attribute: 'Thread.sleep(4000)'
[!] unknown Cookie attribute: '#"'
[!] unknown Cookie attribute: 'window.top._9d99676ef7d75c84f968a4dd0599e79f_taint_tracer.log_execution_flow_sink()"//"'
[!] unknown Cookie attribute: '/bin/cat /etc/security/passwd '
[!] unknown Cookie attribute: '""'
[!] unknown Cookie attribute: '/bin/cat /etc/master.passwd '
[!] unknown Cookie attribute: '""'
Traceback (most recent call last):
File "/root/owtf_develop/owtf.py", line 300, in
main(sys.argv)
File "/root/owtf_develop/owtf.py", line 277, in main
run_owtf(core, args)
File "/root/owtf_develop/owtf.py", line 240, in run_owtf
if core.start(args):
File "/root/owtf_develop/framework/core.py", line 241, in start
if self.initialise_framework(options):
File "/root/owtf_develop/framework/core.py", line 263, in initialise_framework
self.start_proxy(options) # Proxy mode is started in that function.
File "/root/owtf_develop/framework/core.py", line 191, in start_proxy
self.TransactionLogger.start()
File "/usr/lib/python2.7/multiprocessing/process.py", line 130, in start
self._popen = Popen(self)
File "/usr/lib/python2.7/multiprocessing/forking.py", line 125, in init
code = process_obj._bootstrap()
File "/usr/lib/python2.7/multiprocessing/process.py", line 273, in _bootstrap
import traceback
MemoryError

Member

7a commented Jun 28, 2015

From a new test, it looks like this is still happening (develop branch):
NOTE: The below suggests that tornado parsing of cookies in incoming requests might be breaking the request before it reaches the target, hence making many cookie tampering attempts invalid, potentially. If true, that's really bad, we need to preserve the tests of the tools that we proxy.

[!] unknown Cookie attribute: 'window.top._9d99676ef7d75c84f968a4dd0599e79f_taint_tracer.log_execution_flow_sink()'
[!] unknown Cookie attribute: '"//"'
[!] unknown Cookie attribute: 'waitfor delay '0:0:8'-- "'
[!] unknown Cookie attribute: 'Thread.sleep(4000)'
[!] unknown Cookie attribute: '#"'
[!] unknown Cookie attribute: 'window.top._9d99676ef7d75c84f968a4dd0599e79f_taint_tracer.log_execution_flow_sink()"//"'
[!] unknown Cookie attribute: '/bin/cat /etc/security/passwd '
[!] unknown Cookie attribute: '""'
[!] unknown Cookie attribute: '/bin/cat /etc/master.passwd '
[!] unknown Cookie attribute: '""'
Traceback (most recent call last):
File "/root/owtf_develop/owtf.py", line 300, in
main(sys.argv)
File "/root/owtf_develop/owtf.py", line 277, in main
run_owtf(core, args)
File "/root/owtf_develop/owtf.py", line 240, in run_owtf
if core.start(args):
File "/root/owtf_develop/framework/core.py", line 241, in start
if self.initialise_framework(options):
File "/root/owtf_develop/framework/core.py", line 263, in initialise_framework
self.start_proxy(options) # Proxy mode is started in that function.
File "/root/owtf_develop/framework/core.py", line 191, in start_proxy
self.TransactionLogger.start()
File "/usr/lib/python2.7/multiprocessing/process.py", line 130, in start
self._popen = Popen(self)
File "/usr/lib/python2.7/multiprocessing/forking.py", line 125, in init
code = process_obj._bootstrap()
File "/usr/lib/python2.7/multiprocessing/process.py", line 273, in _bootstrap
import traceback
MemoryError

@viyatb

This comment has been minimized.

Show comment
Hide comment
@viyatb

viyatb Dec 9, 2015

Member

This is not tornado but the cookie parser library. I am referencing this as a duplicate of a more recent issue #514

Member

viyatb commented Dec 9, 2015

This is not tornado but the cookie parser library. I am referencing this as a duplicate of a more recent issue #514

viyatb added a commit that referenced this issue Dec 9, 2015

@viyatb viyatb added the ready label Dec 10, 2015

viyatb added a commit that referenced this issue Dec 10, 2015

@viyatb viyatb closed this Dec 10, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment