browsermob-proxy
browsermob-proxy copied to clipboard
lightbody
Fixing credentials leak
When chaining upstream proxy to BMP through HTTPS connection, the upstream proxy credentials should be sent only with CONNECT request. Otherwise, if the upstream proxy does not provide man-in-the-midle, it will be unable to dismiss Proxy-Authorization header, so the header will eventually leak to the end point site, which provides serious security flaw. The site htat reports the Prox-Authorization header: https://www.piliapp.com/what-is-my/http-request-headers/ Other sites might not report it: I already opened an issue to httpbin.org
To fix this, I have added 2 more conditions on adding the credentials header:
1. The request should be CONNECT
2. Otherwise the uri should not start with '/', which means we are in plain HTTP mode.
In HTTP mode we should always pass credentials with each request.
I hope this helps.
Hi @jekh do you plan to accept this any time soon? Do you have any objections or questions that I can help with? I have no problem to run with my own fork of BMP but the fix is critical IMHO. Or may be it's only me here who cares about my proxy username and password to not be given away to each site I visit? We all busy, totally understood.
@aliowka, We have an actively maintained fork of the BrowserMob Proxy, renamed to the BrowserUp Proxy with Java 11 support and modern dependencies. Feel free to open a PR there. We may eventually move this in anyway as it seems useful. Cheers! Eric
