General web proxying with Ncat

[David Fifield <david () bamsoftware com>]

Hi,

Ncat's HTTP proxy now supports the GET, HEAD, and POST methods, so it
can be used as a proxy with an ordinary web browser. Run

        ncat -l --proxy-type http

Configure your web browser to use the proxy server at localhost:31337.
The CONNECT method that enables SSL connections is also supported. Of
course you can continue to make Ncat client connections through the
proxy:

        ncat --proxy localhost:31337 scanme.nmap.org 80

The proxy allows authentication (credentials are sent in the clear):

        ncat -l --proxy-type http --proxy-auth user:pass

I wrote this new code with special attention towards securing it against
buffer overflows and like vulnerabilities. There are over a thousand new
lines of parsing and memory allocation code, so I would appreciate a
second opinion.

The proxy as it stands now only supports HTTP/1.0, and not HTTP/1.1
features like connection persistence and pipelining. Using the proxy is
likely to make your web browsing slower because all requests are
serialized. I wouldn't expose the proxy to the Internet because of a
lack of authentication mechanisms. (You can use --proxy-auth, --allow,
and --deny, but they are not very strong.)

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org