26

First (working) attempts at writing a proxy that rewrites live requests from the devrant app, right now it only rewrites all notifications to be unread

Though the first attempt that finally works is built with mitmproxy and it's add-on scripting, plan is to get that stuff work with e.g. goproxy instead

Comments
  • 3
  • 5
    but why?

    i generally like your extra's but whats with the mitm proxy?
  • 4
    @Bitwise so I can man in the middle the devrant app and modify the responses

    @Floydian know my scripts? but for the app - to some extent, e.g. face normifier could be ported to this
  • 2
    @C0D4 no other way to intercept and modify the app comms
  • 5
    @C0D4 also I just love to tinker with new things 😊
  • 1
    @CozyPlanes I tried to rotate my phone all sorts of orientations to make something out of this, but all I can see is "lee l o l", it's supposed to be some sort of table throwing emote probably, but I just can't see it lol
  • 3
    Why does not devrant have HPKP?
    @dfox @trogus
  • 2
    @Bitwise lol not my intent, but I'll make sure to have a separate version for you 😂
  • 2
    @Linux plsnot 🙏 too much ideas to try for HKPK to be implemented now
  • 1
    I'm not a security guy, but how can you do that? You make like seem like sniffing passwords from an http only connection.
  • 2
    @gitpush generate a certificate, trust on the mobile device, make the server use that cert for devrant.com connections

    besides that mitmproxy also takes care of that too itself - if there's a HTTPS connection that doesn't yet have a cert generated it creates a new cert signed with the root one that you trust, but I wanted to generate my own, just in case
  • 3
    @JoshBent so what @Linux mentioned helps prevent what you basically just did right? But doesn't mean it is no longer possible to do man in the middle attack right?
  • 2
    @CozyPlanes oh well that was random lol
    @gitpush to my knowledge yes, but googling - it seems there is ways to bypass that, especially on Android, where you can just repackage with your own certs.
  • 2
    @JoshBent I see, thank you for the info, I will play around with what Linux said, cuz I have a website that uses Lets Encrypt, and I'm from what I read in your rant I think it is not enough
  • 3
    @gitpush somebody would need to install certs on the victims computer, so it's not a really needed addition, if you're not handling money or vital personal data.
  • 2
    @JoshBent ahha... Great to know, and no I don't handle money nor personal data other than name and email. The thing that is always making me afraid is noob hackers, I'm no big shot so that pros come and hack my server, but I also not a linux pro so I make a good victim for those who want to learn lol
  • 2
    @gitpush you should be concerned with hardening mainly your server then, no default SSH port, SSH key auth, iptables honeypot ports banning, SSH failed attempts ban, use a middleman like cloudflare so your IP can't be resolved, using only prepared database queries etc.
  • 2
    @JoshBent Noted, for now I'm following the basics that @Linuxxx told me about like firewall, port knocking, and ssh key auth.

    Though for CloudFlare, I don't understand one thing in their free plan, 3 page rule? My website can only contain three pages?
  • 2
    @gitpush page rules are things that you want cloudflare to handle, aka things you're too lazy for most often, like a 301 redirect or http to https force etc. I have barely ever used those and you can have a very good amount of traffic before there's any limits too, also iirc unlimited domains connected
  • 2
    @JoshBent I see great, then I'll go for it, cuz for now I let nginx handle http to https and other pages like 404

    Thanks again for your help, much appreciated :))
  • 2
    @gitpush youre welcome, cloudflare has also different SSL modes, so basically you could even not have SSL on your server and cloudflare would front you with their cert and communicate with your server internally through http, generally it's enough, because double the handshake double the trouble imho
  • 1
    @JoshBent But how can they do that internally? Do I need to install anything on my server so that the connection between my server and cloudflare is secure?
  • 1
    @gitpush nope, you don't need to install anything, just know that they are an SSL terminating proxy, so in *theory* they could get all your conspiracies that are transferred over Https, that's why many here are "paranoid" about it, even though literally any other CDN/ddos service basically does the same with just a different name and the benefit overweighs getting ddosed or using cdn hacks.
  • 1
    @JoshBent sorry I ask too much, but even if I use my own certificate, they can still see data between me and them?
  • 3
    @gitpush don't worry, I think if you use a CA cert they still have to ssl terminate to redirect it to your server, but not sure on that, maybe @condor @linux @perfectasshole or @linuxxx know an answer to that, since that would interest me too.
  • 3
    @JoshBent ok great, lets wait for the response :D
  • 3
    @JoshBent @gitpush I'm not a hero in this one honestly but @PerfectAsshole would know an answer I think :)
  • 3
    @JoshBent

    With HPKP you cant.
    You pin to a specific certificate
  • 5
    @gitpush @JoshBent @linuxxx it terminates the incoming https connection then creates another one. Otherwise using a selfsigned cert between something like cloudflare and your server would say unsigned certificate.

    Also a side note with hsts and private key pinning it is just about impossible to mitm a server unless you attack at the browser level to ignore those headers
  • 4
    @PerfectAsshole wow, thanks for the details, much appreciated :D
  • 3
    @gitpush no problem. You can use ssl passthrough to use the cert from the server and from that point a service can't see anything but at that point there's no difference between using cloudflare over a standard dns service since they can't filter out any traffic
  • 1
    @PerfectAsshole I understand, I'll look into that, thanks man :D
  • 1
    @linuxxx @Linux @PerfectAsshole awesome thanks :) so I guess I just hope I won't have to repackage the app just to get it to work with a custom cert any time soon
  • 1
    @JoshBent
    Well, if devrant adds certificate pinning, repackaging your app wont help
  • 1
    @Linux he would have to use a custom https client that ignores headers so it is possible
  • 2
    @PerfectAsshole
    Oh, so he would skip the app then. Yeah that would work :)
  • 0
    @PerfectAsshole @Linux haven't really tested yet much, since there's no need yet, but most of the time just replacing the cert inside the package seemed to work as described here:

    https://blog.netspi.com/four-ways-b...

    haven't yet tried the frida thing, but I remember from root times that something similar as a module worked too.
Add Comment