HTTP PUT Malware

Q:

Hello -

I’m assessing the vulnerability of a web service application, and have been trying to find out whether this sort of scenario is possible, and if so, what to do about it.

Is there any sort of malware that could be installed on a user’s PC, such that it would intercept non-browser based HTTP requests (consisting of data to be PUT), send this data to a site run by the malware authors, and then issue the PUT to the intended web site? The effect being that the data is sent to the correct web site, but a copy is also sent to another location, unbeknownst to the user.

If this is possible, would HTTPS circumvent this?

I’ve searched and searched but cannot find anything addressing this.

A:

Hi,

What you are describing sounds like a Proxy server. In essence, proxies receive requests made by the user, send them to their original destination, receive the response from the destination and redirect that response to the user.

The use of a PUT requests to implement this is the first time I have heard of it, however it is not something that would be impossible to do.

For Proxy servers – HTTPS might trigger a warning on the part of the proxy as the certificate of the web site being accessed would be different from that of the proxy server from which you are receiving the HTTPS traffic back.

For Malware – As no traffic is being sent to the real destination, HTTPS or HTTP would make no difference. In both cases your traffic is being modified and possibly manipulated. Mozilla/IE might detect this manipulation and might not, I cannot be certain.

Share
  • http://www.whiteacid.org WhiteAcid

    1.Read all incoming HTTP packets.
    2.Check their UA (unreliable I know, but probably sufficient).
    3.Throw away anything with a UA equal to a known browser, which leaves you with (hopefully) non-browser based HTTP traffic.
    4. See if it fits the criteria and if so send the packet to an arbitrary remote server.

    Not easy to do, but not impossible.

    I do think that SSL would mess things up. I just ran ethereal and sent off credentials to a https site. The packets didn’t make any sense at all. Maybe this is my fault, not ethereals I’m not sure.