Embedding Web Apps in MITMProxy Scripts

uh man in the- Middle

proxy so yeah that's the original TI of talk here is embedding web apps and man the middle proxy that's actually not the talk you're going to get delivered today um but I'll go into that in a minute um so why did I start trying to embed web apps into man the middle proxy or mum proxy as I call it it's easier to say so that's I'm going to say for the rest of this talk um I was curious about this mobile game called Ruzzle that my girlfriend told me to play it's uh just like a word game kind of like scrabbler Words with Friends and uh I was looking at the HTP traffic and was all encrypted

and I was like oh what the hell can't really figure it out um as you can see here in the lower left uh it's just gobble deg but the content type is Json interesting so I wanted to look at that um and be able to examine that um from mum proxy um so I started off by embedding WIS G apps um written in Python into mid androxy scripts and as I was doing this I created this like crazy UI here and you can see here this is running in the web browser and like you can click and view requests and responses and you actually see the Json here so I'm decrypting it um that encrypted traffic you can view it and

then it has like a checkbox to enable to cheat and it kind of worked but there were some drawbacks to that um particularly in terms of concurrency and stuff um because everything was single threaded so basically um web requests would block um MIM proxy itself so this really wound up being unnecessary um since February when I started working on this uh the MIM proxy developers have added a new web front end to MIM proxy that's really nice um and turns out I just using the wrong mechanisms to do this work um while you can embed WIS G apps into midm proxy um it's an undocumented feature in there the developers don't mention any where I has

to found it by looking through their source code um you can't get thread safely interact with the m and proxy flows it turns out that it's very non-trivial to introduce thread safety into um the net lib library that Min proxy uses um so the use cases for the embedded wisg apps are more for things like hosting static assets that you want to deliver to people who are running through your proxy or running a web server accessible to machines going through the proxy um and for my case where I wanted to just expose some additional functionality based on the application that I was working with it wound up being easier to hook into the master mitt and proxy State

directly so you're no longer going to see this talk um instead the talk that you're going to see is what My Little Pony friendship is Magic can teach us about threat intelligence sponsored by threat bud just kidding um I'm actually going to talk about plug-in support in mid androxy web which is what I've added or why nobody wants to play mobile games with me anymore [Music] so what is midm proxy for those who don't know uh midm proxy is a python based library for HTTP and htps interception can automatically uh create an SSL CT and do SSL interception I mean you have to install the CT and byass pinning in your client app and stuff but

handwave handwave um and the developers have a few front ends for it now uh there's the web UI which what my work Prim primarily focuses on however it can be brought into the end curses guey I plan doing that um then there's the mum proxy front end itself which is all end curses based console stuff um which is where I originally started my work and then there's mum dump which runs completely headless and you can just create the HTTP equivalent to pcap basically for mum proxy um so it's had this scripting interface for a while which you can invoke through any of the front ends by passing a uh- s argument on the command line then the name of the Pon script

that you're using uh this was not actually supported on the midm web UI when I started doing this work so I brought the support in got it all working so scripts wouldn't even run the background much less have fancy buttons in a web UI for you to click so I've introduced a couple of new Concepts into Min and proxy um the three concepts are view plugins action plugins and plug-in options I'm going to go into those uh more in depth so if you plugin this changes a visual presentation of uh traffic going across the wire without actually changing what's being sent to the server client um so this is useful if you just want to transform it in the interface to

view a different representation of it for example right here I'm showing off a hex view so you'll see at the bottom it says autox and there's a new hex tab um mum proxies web UI didn't have hex support when I started this work so I created a little hex stump uh plugin and it now you can view hex in the browser super easy um I also add plugin options these are persistent options uh you can configure you have different types that you can create uh and those just configure the plug-in behavior and they persist across every flow that the plugin runs across so for example here we have a color switcher plugin and we have a configurable color um in the

interface I added plug-in output plug-in output is just static text that you can have your script print to uh the plugin options page to display debug or stateful information about what the plugin is doing for so for example right here this is for uh my russle cheat plugin and this is just showing the games that's detected that are in progress and a little bit of information about them um then I also add plug-in actions and these are available on either a one-off basis or to run persistently against every flow um so right here this is my uh color switcher and pig pug Latin plugin um so the color switcher like we saw before you can configure a color you want to

switch to so previously Vice wasn't so pink um and then also the pig and pug Latin well it changed its text to Pig Latin and changes every image to pugs and makes Vice a hell of a lot more bearable um so then on the plugin options page you can also configure any plug-in actions you create to run across every flow so you don't have to manually click on the flow and click run action again so you can say run on every flow and it'll go um but back to cheating at mobile games so it turns out that reversing many Android apps isn't really hard especially crappy games um you can usually get pretty good Java code out of

it after you um open up that APK and Dex to jar and foke around um so finding the AES shared secret was super easy uh and then the crypto IV wound up being in the request headers themselves wrote like a basic little routine to decrypt it trest against some traffic it worked cool um I know some other things that I thought were interesting that I just want to bring up while I was reversing the game because they were just bad ideas um for example the game had a rudimentary anti-che functionality built into it um and so it turns out that this game's really popular they're like over 10 million installs according to the Google Play Store and people have made sheets

for it that you can download on the Google Play Store um so the game itself will check to see if any of those processes are running and then report your score is zero uh however this is all enabled on the client and it won't help against a network attack like what I'm going to show here um and then they also had partial request signing so the headers had a signature in them but it only extended to parameters that were actually within the headers it didn't take into account any of the request body so for my work at cheating at the game I didn't even have to resign anything um and then also the client reports your game score and everything

and server will just accept it it doesn't even bother verifying the score makes sense you could say I didn't even play any words but I got a million points and it's totally fine with it so after I wrote my little routine I was able to decrypt the traffic um you can see on left there and then I used my new view plugin support to um create a view plugin so now we actually get Jason on the front end sweet as far as cheating goes um so when I first started at this I was like oh man we have to like look at the board and figure out every possible uh combination of moves you can make then

compare it against a dictionary and F words and stuff we want up not being necessary at all CU it turns out they give you every possible word that you can play um in the game request themselves so yeah I I just kind of concatenated all these and it worked um so they have a move string format that they have in there um it's a little bit more Java reversing and it was easy to write a python implementation of it and then suddenly I was really good at the game you can see my score jumped in order magnitude um there was some data sent along that could possibly indicate cheating to the service provider so I

was like it'd be fun to kind of fake that fudge that around and try and evade any possible detections um so some of those things that they sent along that could indicate cheating if you don't uh take them into account um they record the swipe distance which is the distance that your finger actually travels on the screen um they also record the time that you uh play each word um so I just kind of fuzzed those I played a couple of uh legitimate games and took averages and then add a little fudge factor into it and seems to be okay um so I yeah like I said wrote some routines to fake all that and wrote a

plugin action for it so basically it they'll take that encrypted blob decrypt it with the AES key and IV from the request change the state um to basically say that you got a bunch of points and you played a bunch of words and you're really good reencrypt it and send along to the server and you get a bunch of points and then I brought in the plugin so what I did with the plugin um I created a few different things here for this game I I did two plug-in actions uh one to identify the games this is because you can either be player one or player two and the only way to determine if you're player one or player two is

from read game request um and then one to actually perform the cheating which is against the play round requests which say which words you played um I add a plug-in output option just to show the prog in progress games that script had detected and then it would be cheating against and then of course I implemented that view plugin um that would show the decrypted traffic on the front end without actually affecting on The Wire of course all this work goes beyond games uh kind of use your imagination here there are a lot of possibilities um in any circumstance where you want to do any sort of dynamic content replacement or data extraction or exfiltration or have use case

specific data views could come in handy uh so here's some example plugins I kind of thought about like do like a password thief and steal passwords from form posts or something to embarrass people posting on forums and replace all their posts with some crazy or a last measure plugin um and inject JavaScript to open last measure on every site that the load and open up goaty and lemon party and stuff um I also thought you could do like useful things with it too um like maybe a web app fuzzer um kind of like some of the features that burp has um where you could look at request uh parameters that are taken in and then you know do some fuzzing with

them and then replay all the requests against the server and see how the server responses change and record that could also do like a malware injector um then I had an idea earlier like you could even like if you saw someone uploading images to imager you could like do some stego stuff and hide data in there to exfiltrate there are a lot of possibilities here um so the actual progress or process of writing plugins I'm going to talk about a bit now um so that you guys can start writing your own so there are two concepts in minum proxy that are affected by this context and flows so a flow is basically an abstraction of an HTTP request response

flow has a few different attributes um the request which contains contents and headers Etc uh the response which isn't necessarily there unless the flow um has actually gone out to the Target server and returned which also has of course contents and headers Etc error which is about like HTP erors that may have occurred and then you can also get a reference to the TCP connection um to either server client [Music] itself then the context uh contains a handful of useful utility methods that come in handy when writing scripts um so it's known as a script context um and the script context has a log method which you can use to log out to the terminal um you can kill a flow as it's

happening so that it won't reach the server or won't reach the client uh you can duplicate it you can replay them so basically you can take these flows uh duplicate them manipulate them resend them kill them do all kinds of stuff with the script context so I'm going to go through a couple sample plugins here and show how they're implemented um show how simple it is to start doing this and like how easy it is to get these things to appear on the UI now um so common to all MIM proxy scripts they have a start method available this takes in a context and some arguments uh which are taken from the command line um so basically right here we start

off by uh defining our transformation method for this view plug-in which is our hex view um every transformation for uh view plugin we'll get a keyword argument called Target which specifies whether it's currently running on a request response so do a little bit of checking here to see what the target is and then grab the appropriate um attribute of the flow and then grab the content so then the next responsibility of the transformation method is to perform the transformation and then return is a string so last line of hex stump is just return the hex string that we've created and then um at the bottom we call context. plugins. register view uh the first thing we pass is an ID for the

plugin and then you can pass a title for it and then you specify what your transformation function is that's it and then you have that hex thing you can click on you can VI a hex View and really easy um for an action plugin which is one that'll actually change the contents of what's going across the wire um once again we use that start method again to register it but this time we're going to call register action as opposed to register view you can register multiple actions at one time for a plugin so uh right here we only register one um and uh it's important to note that the ID attribute in here is actually the

transformation function uh so we specify ID as pugli image which is our method um at the top level of the module or the script um and then you can also specify possible hooks so you can say that this transformation can only run on requests or this transformation can run on requests and responses or only responses um so for right here our pugy plugin it really only makes sense to run it across uh responses so we specify that [Music] um uh then you can also specify a beginning State for the action um in this case we're specifying every flow as true which means that it'll come preconfigured to run against any flow that passes through it as soon as you uh

start a mum proxy uh and then our actual transformation function um it's pretty straightforward um basically we just check the content type see if it looks imagy um and then also because web developers are terrible they don't always use content types so we also just check for a JPEG magic string I mean you could make it way more robust i' just do this is a proof of concept then you know grab our pug image and replace the contents with it call it day so for more complex example that uses options um I have one here our color switcher um so this one will replace instances of hex color codes in either CSS or HTML files uh with a a color that

you can configure in the UI so we set to a nice pink here and we turn Vice pink um the action step again should be familiar um but we create another action here called disable cache this one will just add some cache control headers and stuff to the uh request to turn off client side caching that way can ensure that we uh get a fresh CSS file that we can change colors on um we also specify our options keyword argument here um and in that you know we specify that we have one text option called color and we specify default value for it um you can specify different types they can you know be drop downs or text or checkboxes Etc and

you can also take a default value so our two transformation functions are right here disable cache and colorfy um disable cache runs only on the request of course adds that no cache um and changes the if modified since header if it's present uh our color function um right here basically just looks at the content type sees if it's CSS or HTML if it is just runs a Cheesy little regular expression on to replace the color um now the important here important part here to note is how to actually get that option value uh so we call context. plugins. get option value we specify the name of our plugin then the name of the option whose value we

want to retrieve uh in this case it's the color switcher plug-in and the color

option uh so now what um I've been working closely with the mid and proxy developers and a pull request is in um with like eight th000 changes here um there are few improvements I'd like to make to this but it works for the most part you can go and grab my branch and play around with if you want um the developers are also really really cool people and really open to pull requests and really helpful if you hop in their slack they'll tell you anything about the code base you want to know um so I want to make some improvements to it like I said basically code style um make it match the rest of the code base that they have

there um also finish out the unit test I started writing for it uh add more option types uh for the UI maybe add some kind of composition or ordering for plug-in action execution though I think that's really not even necessary and then just UI enhancements the CSS is a little wonky still so how can everyone here start using web plugins now uh well it's not integrated to the master Branch yet so here's a discussion I had with uh Max one of the developers yesterday um he said he's looking at today so maybe it'll be up today I don't know um but for now you can grab my branch in GitHub um so here's some resources for

everyone um I have all my example scripts here you can grab on GitHub you can also grab my mid androxy Branch uh with the web plugin support and the main men proxy site is here and they have tons of documentation and examples and stuff it's really great they put a lot of effort into it um so I would like to say thank you to the m proxy Developers for all their hard work in making this awesome tool and for all their work and answering all my Noob questions about their codebase like how's this supposed to work so thanks guys um and then if anyone has any questions uh you can just kind of grab me or hit me up email or Twitter or

whatever that's all I have for you

h