Reputation: 2286
When writing a HTTP proxy, what security problems do I need to think about?
My company has written a HTTP proxy that takes the original website page and translates it. Think something along the lines of the web translation service provided by Google, Bing, etc.
I am in the middle of security testing of the service and associated website. Of course there is going to be a million attacks or misuses of the site that I haven't yet thought of. Additionally I don't want our site to become a vector that allows anonymous attacks against third party sites. Since this site will be subject to many eyes from the day it is opened, ensuring the security of both our service and the sites visited by our service is concerning me.
Can anyone point me to any online or published information for security testing. e.g. good lists of attacks to be worried about, security best practices for creating web sites/proxies/etc. I have a good general understanding of security issues (XSS, CSRF, SQL injection, etc). I'm more looking for resources to help me with the specifics of creating tests for security testing.
Any pointers?
Seen:
- https://www.owasp.org/index.php/Top_10
- https://stackoverflow.com/questions/1267284/common-website-attack-methods-detection-and-recovery
Upvotes: 2
Views: 262
Answers (1)
Reputation: 27265
Most obvious problems for a translation service:
- Ensure that the proxy cannot access to internal network. Obvious when you think but mostly forgotten in the first release. i.e. user should not able to request translation for http://127.0.0.1 etc. As you can imagine this can cause some serious problems. A clever attack would be http://127.0.0.1/trace.axd which will expose more than necessary as it thinks the request coming from localhost. If you also have any kind IP based restrictions between that system and any other systems you might want to be careful about them as well.
- XSS is the obvious problem, ensure that translation delivered to the user in a separate domain (like Google Translate). This is crucial, don't even think that you can filter XSS attacks successfully.
Other than that for all other common web security issues, there are lots of things to do. OWASP is the best resource to start for automated testing there are free tools such as Netsparker and Skipfish
Upvotes: 2
Related Questions
- How http proxy clients work
- how does http proxy work?
- Is connecting to a proxy server with HTTP for a HTTPS Request secure?
- Guidelines and best practices to make a proxy-friendly site
- Java HTTP and Proxies
- How to safely use http_proxy variable in linux
- intercepting http proxy - disadvantages compared to a normal proxy
- "Proper" way to (web) proxy in Java
- Writing a proxy server
- PHP Secure Remote Proxy Server Health