Post Reply 
SSL URL bypass obversation
Oct. 09, 2010, 03:17 PM (This post was last modified: Oct. 10, 2010 12:46 AM by whenever.)
Post: #1
SSL URL bypass obversation
This is related to topic http://prxbx.com/forums/showthread.php?tid=1674. I had thought to suggest adding below entry in bypass list if he doesn't want to use Half-SSL mode then I noticed it doesn't work as I expected.

Code:
[^/]++.akamai.net:443/*.css

Test URL: https://a248.e.akamai.net/f/248/1856/90m...m/home.css

Above entry produced below log:

Quote:+++GET 18+++
CONNECT / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: a248.e.akamai.net
Referer: http://slashdot.org/search/referrer-karm...q=Big+Bang
BlockList 18: in Bypass-SSL, line 49

+++SSL:GET 18+++
SSL cipher TLSv1 RC4-MD5 (128 bits)
GET /f/248/1856/90m/www.wellsfargo.com/home.css HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/msword, application/vnd.ms-excel, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322; IE7Pro; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; GreenBrowser)
Host: a248.e.akamai.net
Accept-Encoding: gzip, deflate
Connection: keep-alive

+++SSL:RESP 18+++
SSL cipher TLSv1 AES256-SHA (256 bits)
HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Content-Length: 9275
Content-Type: text/css
Last-Modified: Thu, 23 Sep 2010 20:28:03 GMT
Accept-Ranges: bytes
Date: Sat, 09 Oct 2010 14:11:44 GMT
Connection: keep-alive
+++CLOSE 18+++

In this case, Proxomitron didn't modify the data but decrypted incoming data then re-encrypted it using the self-signed certificate before sending it on, so it doesn't solve the issue in above mentioned topic.

Without bypass entry the log would be:

Quote:+++GET 21+++
CONNECT / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: a248.e.akamai.net
Referer: http://slashdot.org/search/referrer-karm...q=Big+Bang
BlockList 21: in User-Agents, line 40
GET 21 : Time: 22:14:20::286

+++SSL:GET 21+++
SSL cipher TLSv1 RC4-MD5 (128 bits)
GET /f/248/1856/90m/www.wellsfargo.com/home.css HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/msword, application/vnd.ms-excel, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1)
Host: a248.e.akamai.net
Connection: keep-alive
RESP 21 : Time: 22:14:20::661

+++SSL:RESP 21+++
SSL cipher TLSv1 AES256-SHA (256 bits)
HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Content-Length: 9275
Content-Type: text/css
Last-Modified: Thu, 23 Sep 2010 20:28:03 GMT
Accept-Ranges: bytes
Date: Sat, 09 Oct 2010 14:14:19 GMT
Connection: keep-alive
Cache-Control: public, max-age=86400
|.*.URL-ID: (21) https://a248.e.akamai.net:443/f/248/1856...m/home.css
Match 21: Top All Mark: Start 04.07.11 (multi) [sd] (d.r)
Match 21: Top All Mark: End 06.12.25 [sd] (d.r)

+++CLOSE 21+++

In this case, Proxomitron decrypted SSL data, applied matched filters then re-encrypted the data using the self-signed certificate before sending it on.

Below entry would switch Proxomitron to pass-thru mode.

Code:
[^/]++.akamai.net:

The log:

Quote:+++SSL 28:+++
SSL Pass-Thru: CONNECT https://a248.e.akamai.net:443/

In this case, SSL data is simply passed to the server/browser without any alteration.

Conclusion:
There is no way to really bypass (pass-thru mode) a specific SSL URL which contains path or file parameter. You can only bypass the whole domain/host, which might not be what you want.

This is because Proxomitron has to decrypt the SSL data to see the full request line. Before that, it can only see the server and port it is connecting to.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: