https://vigilance.fr/
Vigil@nce - HTTP: Man-in-the-Middle via Proxy CONNECT September 2016 by Vigil@nce This bulletin was written by Vigil@nce : https://vigilance.fr/offer SYNTHESIS OF THE VULNERABILITY An attacker can act as a Man-in-the-Middle when an HTTP proxy is configured, in order to obtain passwords of users of this proxy. Impacted products: HTTP protocol, SSL protocol. Severity: 1/4. Creation date: 18/08/2016. DESCRIPTION OF THE VULNERABILITY When an HTTP proxy is configured, the web browser uses the HTTP CONNECT method to ask the proxy to setup a secured TLS session. However, the HTTP CONNECT query and its reply are sent in a clear HTTP session. An attacker can act as a Man-in-the-Middle, and spoof a 407 Proxy Authentication reply to the client. The victim then sees an authentication windows, and may enter his password, which is sent to the attacker’s server. It can be noted that this vulnerability impacts all session types requested to the proxy, but as the victim requests an https/TLS url, he expects his session to be encrypted. It is thus a perception problem, instead of a real new vulnerability. An attacker can therefore act as a Man-in-the-Middle when an HTTP proxy is configured, in order to obtain passwords of users of this proxy. ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN