search

blueclosure / BCDetect

5 stars 0 forks source link

servers.js proxy [EE]:_____Unhandled exception START_____________: #31

Closed 0xdevalias closed 6 years ago

0xdevalias commented 7 years ago

When I try to load a certain page, I get the following printed in the browser:

PROXY_TO_SERVER_REQUEST_ERROR: Error: Parse Error

Looking in the console log, I see the following.

servers.js proxy [EE]:_____Unhandled exception START_____________:
 TypeError: The header content contains invalid characters
    at storeHeader (_http_outgoing.js:448:13)
    at ServerResponse._storeHeader (_http_outgoing.js:355:13)
    at ServerResponse.writeHead (_http_server.js:251:8)
    at X:\BCDetect\libs\node_modules\http-mitm-proxy\lib\proxy.js:764:35
    at X:\BCDetect\libs\node_modules\async\dist\async.js:359:16
    at iteratorCallback (X:\BCDetect\libs\node_modules\async\dist\async.js:935:13)
    at X:\BCDetect\libs\node_modules\async\dist\async.js:843:16
    at onResponseHeaders (X:\BCDetect\libs\ProxyRewriter\proxy_rewrite.js:9:3354)
    at X:\BCDetect\libs\node_modules\http-mitm-proxy\lib\proxy.js:989:12
    at X:\BCDetect\libs\node_modules\async\dist\async.js:3025:16 TypeError: The header content contains invalid characters
    at storeHeader (_http_outgoing.js:448:13)
    at ServerResponse._storeHeader (_http_outgoing.js:355:13)
    at ServerResponse.writeHead (_http_server.js:251:8)
    at X:\BCDetect\libs\node_modules\http-mitm-proxy\lib\proxy.js:764:35
    at X:\BCDetect\libs\node_modules\async\dist\async.js:359:16
    at iteratorCallback (X:\BCDetect\libs\node_modules\async\dist\async.js:935:13)
    at X:\BCDetect\libs\node_modules\async\dist\async.js:843:16
    at onResponseHeaders (X:\BCDetect\libs\ProxyRewriter\proxy_rewrite.js:9:3354)
    at X:\BCDetect\libs\node_modules\http-mitm-proxy\lib\proxy.js:989:12
    at X:\BCDetect\libs\node_modules\async\dist\async.js:3025:16 __________Unhandled exception END_____________
servers.js proxy [EE]:proxy error: { Error: Parse Error
    at TLSSocket.socketOnData (_http_client.js:453:20)
    at emitOne (events.js:115:13)
    at TLSSocket.emit (events.js:210:7)
    at addChunk (_stream_readable.js:252:12)
    at readableAddChunk (_stream_readable.js:239:11)
    at TLSSocket.Readable.push (_stream_readable.js:197:10)
    at TLSWrap.onread (net.js:588:20) bytesParsed: 0, code: 'HPE_CB_headers_complete' }

Assuming the headers it's referring to are the HTTP headers, they are as follows:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: max-age=0, private
Server: openresty
X-Content-Type-Options: nosniff
X-Cache: HIT from squizedge.net
Date: Wed, 13 Sep 2017 22:39:38 GMT
Pragma: cache
Via: 1.1 squizedge.net
Strict-Transport-Security: max-age=31536000
Age: 37
X-Frame-Options: SAMEORIGIN
Expires: Wed, 13 Sep 2017 23:09:38 GMT
X-Iinfo: 9-28567838-28567845 NNNN CT(12 12 0) RT(1505342415805 103) q(0 0 0 -1) r(0 0) U5
X-CDN: Incapsula
Content-Length: 27943
wisec commented 6 years ago

Fixed in upcoming release.

0xdevalias commented 6 years ago

@wisec : Just hit this issue again running the latest version of BCDetect, will send an email with further context.

Edit: In this case, the culprit appeared to be in a Set-Cookie header (and presumably in subsequent Cookie headers as well:

Set-Cookie: ___utmvawFuLyBV=snl LsyY; path=/; Max-Age=900

There is a non-printing character between the snl and LsyY parts of the cookie value.

Running through the JS Console to % escape, I see the following, implying perhaps it is a %01:

escape("Set-Cookie: ___utmvawFuLyBV=snlAAAA�BBBBBLsyY; path=/; Max-Age=900")
"Set-Cookie%3A%20___utmvawFuLyBV%3DsnlAAAA%01BBBBBLsyY%3B%20path%3D/%3B%20Max-Age%3D900"

While this likely breaks the HTTP standard, it would be good if it was possible to handle it without BCDetect crashing.