HTTP Interception

Network Security Spring 2021
Due

The goals of this lab are to:

  1. Familiarize yourself with HTTP introspection tools
  2. Write code to modify an HTTP request

In order to gain deeper insight into how HTTP requests and responses can be intercepted and manipulated, you will be using introspection tools to do so in conjunction with a simple prepared web application. This web application is available as a container image that you can load and execute as follows:

$ docker load -i netsec-lab-http.img
$ docker run -it --rm -p 5000:5000 netsec-lab-http

Using the above commands, the web server will be accessible on localhost port 5000/tcp. If you navigate your browser to http://localhost:5000, you will be presented with a simple HTML page. This page will initially display the message processing...; your goal is to get it to output a response.

To do so, you will need to modify the HTTP requests issued by your browser. In principle one could do so with the built-in developer tools. However, you will probably find that that approach will not scale for this problem. Instead, you are encouraged to write a request-modifying plugin for an intercepting proxy such as mitmproxy or Burp Suite.

mitmproxy Example

For example, one can write a mitmproxy addon to inspect and modify both HTTP requests and responses. A basic addon has the following structure:

from mitmproxy import ctx
import mitmproxy.http


class InspectHTTP(object):
    def __init__(self):
        # Perform any necessary addon initialization here
        pass

    def request(self, flow: mitmproxy.http.HTTPFlow):
        # This method will be invoked on every intercepted HTTP flow.
        # We can restrict the requests we consider by checking request
        # attributes, and we can also modify attributes of interest.
        if flow.request.pretty_url == "http://example.com/foo":
            ctx.log.info("accessing example.com!")


addons = [InspectHTTP()]

The addon can then be run using mitmproxy as follows:

$ mitmdump -s ${path_to_addon}

Finally, simply set your browser to use 127.0.0.1:8080 as an HTTP(S) proxy. Note that HTTPS interception will not work without adding a dynamically generated CA certificate to your trust store. See the mitmproxy documentation for more information.

Lab Objectives

  1. Modify requests to the web application root resource to include a cookie where the key e is set to your @northeastern.edu address.
  2. Modify API requests to the web application to reference pongs and not pings.
  3. Collect the sequence of (rewritten) API URLs accessed by your browser.
  4. Record the final status value shown in your browser.

Submission Instructions

Submit the API URLs and final status value to Canvas.