Vigil@nce - WebKit: Man-in-the-Middle via Proxy CONNECT
October 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can act as a Man-in-the-Middle when an HTTP proxy is
configured, in order to alter the visible content of an https
site, to execute JavaScript code for example.
– Impacted products: iOS by Apple, iPhone, Mac OS X, Opera, WebKit.
– Severity: 2/4.
– Creation date: 18/08/2016.
DESCRIPTION OF THE VULNERABILITY
When an HTTP proxy is configured, the web browser uses the HTTP
CONNECT method to ask the proxy to setup a secured TLS session.
However, the HTTP CONNECT query and its reply are sent in a clear
HTTP session. An attacker can act as a Man-in-the-Middle, and
spoof a 407 Proxy Authentication reply to the client, not
containing a Proxy-Authenticate header, but containing an HTTP
body.
The RFC 7235 indicates that the HTTP body must not be displayed.
However, WebKit displays it, and executes its content in the
context of the requested https/TLS site.
An attacker can therefore act as a Man-in-the-Middle when an HTTP
proxy is configured, in order to alter the visible content of an
https site, to execute JavaScript code for example.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/WebKit-Man-in-the-Middle-via-Proxy-CONNECT-20429