WebApp Sec mailing list archives
RE: Reverse Proxy and Link Encoding
From: "Lluis Mora" <llmora () sentryware com>
Date: Mon, 2 Jun 2003 10:54:37 +0200
Hi Michael, I am not aware of anything similar and although I find it interesting, handling FORMs might be a problem: In a link you know that all the parameters will be the same when the user hits the link (unless javascript is used to modify URLs), so you can store them in a database and then match the proxy code to the URL with parameters and forward that. But in forms, you can have user-dependent data such as "text" inputs that you can not remove from the page sent to the client - so you are forced to accept data from a client (unless you want to strip forms out of the application...). Any thoughts on how this could be accomplished with yor proposed scheme? Cheers, Lluis . -----Mensaje original----- De: Michael Naef [mailto:michael.naef () inf ethz ch] Enviado el: sabado, 31 de mayo de 2003 23:56 Para: webappsec () securityfocus com Asunto: Reverse Proxy and Link Encoding Hi all I have a follow-up question to Dean's inquiry on reverse proxies... I am looking for a reverse proxy that does not let _any_ client-provided data through. This would be achieved by parsing all web pages in order to identify the hyper links contained. Then, all the hyper links would be replaced by the proxy's address and a suitable encoding. Also, the proxy would maintain a table with all the encodings and the original link. When the client requests such an encoded link, the proxy would do a lookup in the table and retrieve the original link. Example: 1) Proxy retrieves some web page that contains the link http://www.foo.com/ 2) Proxy replaces this link in the web page by something like the following link: http://proxy/77352102 and sends the resulting page to the client. 3) Client hits the link. Proxy analyzes the encoding and does the lookup in the table to find the original link. It retrieves the page, parses the content, replaces links, and sends the result to the client again. (Startup: The proxy would have a well-defined collection of possible links that are already encoded and serve as a starting point.) I am aware that such a proxy is quite prohibitive with regard to browsing the web. However, it can be useful in environments that must prevent potentially hostile traffic (e.g. "hacked" URLs, malformed POST data etc.) to leave to the Internet and still allow basic browsing capabilities. Does anybody know of a proxy that does this (or something similar)? (My research has not been successful so far.) Thanks myke.
Current thread:
- Reverse Proxy and Link Encoding Michael Naef (Jun 01)
- RE: Reverse Proxy and Link Encoding Lluis Mora (Jun 03)
- RE: Reverse Proxy and Link Encoding Michael Naef (Jun 05)
- Re: Reverse Proxy and Link Encoding security lists (Jun 05)
- <Possible follow-ups>
- RE: Reverse Proxy and Link Encoding Amit Klein (Jun 05)
- RE: Reverse Proxy and Link Encoding Amit Klein (Jun 09)
- RE: Reverse Proxy and Link Encoding Bill Burge (Jun 09)
- Re: Reverse Proxy and Link Encoding Death Star (Jun 13)
- RE: Reverse Proxy and Link Encoding Lluis Mora (Jun 03)