Vigil@nce - HTTP: Man-in-the-Middle via Proxy CONNECT
September 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can act as a Man-in-the-Middle when an HTTP proxy is
configured, in order to obtain passwords of users of this proxy.
– Impacted products: HTTP protocol, SSL protocol.
– Severity: 1/4.
– Creation date: 18/08/2016.
DESCRIPTION OF THE VULNERABILITY
When an HTTP proxy is configured, the web browser uses the HTTP
CONNECT method to ask the proxy to setup a secured TLS session.
However, the HTTP CONNECT query and its reply are sent in a clear
HTTP session. An attacker can act as a Man-in-the-Middle, and
spoof a 407 Proxy Authentication reply to the client. The victim
then sees an authentication windows, and may enter his password,
which is sent to the attacker’s server.
It can be noted that this vulnerability impacts all session types
requested to the proxy, but as the victim requests an https/TLS
url, he expects his session to be encrypted. It is thus a
perception problem, instead of a real new vulnerability.
An attacker can therefore act as a Man-in-the-Middle when an HTTP
proxy is configured, in order to obtain passwords of users of this
proxy.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/HTTP-Man-in-the-Middle-via-Proxy-CONNECT-20428