search

elazarl / goproxy

An HTTP proxy library for Go
BSD 3-Clause "New" or "Revised" License
5.99k stars 1.09k forks source link

Security issue: if use mitn handler websocket ignores cascade end proxy and use direct connect #418

Open 4n70w4 opened 3 years ago

4n70w4 commented 3 years ago

Hi! I get code from https://github.com/elazarl/goproxy/blob/0581fc3aee2d07555835bed1a876aca196a4a511/examples/cascadeproxy/main.go

and connect to wss://webhook.site/.... or ws://webhook.site/....

all ok - connected via end proxy.

But if add Mitm handler to middleProxy

middleProxy.OnRequest(goproxy.ReqHostMatches(regexp.MustCompile("^.*$"))).HandleConnect(goproxy.AlwaysMitm)

not ok - connected via server IP.

I believe this is a security issue and should not be enabled by default.

4n70w4 commented 3 years ago

May be related: https://github.com/elazarl/goproxy/issues/125