About Pretty-Bad-Proxy (PBP)

Surging clouds
Pretty-Bad-Proxy: An Overlooked Adversary in Browsers 'https Deployments

This paper should have been developed by several Chinese at the Microsoft Research Institute.

We know that HTTPS is secure without man-in-the-middle attacks (forged certificates. (Sslv3 protects against man-in-the-middle attacks)

However, even if the malicious proxy cannot directly read the plaintext after HTTPS encryption, attackers can still combine some client attack techniques to achieve this goal. This isPBP

PBP's paper mentioned four attack techniques, all of which are very interesting.

I did a small test on the first one.



Environment:Simulate edevil proxy using Paros
Browser:IE8

Step 1: Browser access: https://mybank.icbc.com.cn/icbc/perbank/index.jsp

Step 2: If Paros tampered with the returned packet, error 502 is returned (other error numbers should be acceptable), and an iframe is inserted for the browser to request the real address and insert a script

<Iframe src = "https://mybank.icbc.com.cn/icbc/newperbank/logonIdsearch125.jsp" id = ifr> </iframe>
<Script>
SetTimeout (function () {alert(document.getelementbyid(ifr0000.content0000doc ument. body. innerHTML );
},5000 );
</Script>


Step 3: The following request shows that the iframe content is successfully read.



Explanation:
Note that the above attack process does not involve https man-in-the-middle attacks (except the simulated proxy process of paros). Therefore, the browser will not prompt any certificate changes in the real environment.

The reason why the attack succeeds is thatMalicious scripts comply with the same-origin policy of the browser (same domain, same port: https)

Therefore, you can read the content in iframe in the same domain.

It not only reads the content of the iframe, but also submits data to the domain.


Risks:
The above is only a POC, but in the real attack environment, you can read the CSRF Token and try to implement XSS in this domain. You can try to intercept the user name and password. Some https cookies do not have the secure attribute, and the scripts in http can read the cookie.

These are very real risks.

The four attack methods mentioned in paper are very typical and interesting. They include some methods that bypass the browser Security Prompt window and graph.

Currently, there are a lot of proxies, suchMobile BrowserFor exampleSchools, SomeIntranetTo bypass GFW.Web Proxy.


Defense scheme:
Browser improvements may curb this problem to some extent.


Finally, due to the popularity of the hype concept, I still do not recommend that you formally define the PBP attack method. It is still abbreviated as PBP.