Thursday, July 28, 2016

Intercepting SSL and more with WPAD

This morning I read Sniffing HTTPS URLS with malicious PAC files by Alex Chapman and Paul Stone. It's an excellent summary of a key problem with PAC files, mainly that its a JavaScript file delivered by HTTP with well-known techniques to push to unsuspecting clients, and that this script has full access to all URLs - including the content of SSL URLs. Chapman and Stone demonstrate a simple technique to exfiltrate the SSL URLs via DNS. Since the technique is now public, I'm publishing my findings and code from 2007 as a more fully weaponized tool that allows selective targeting and exfiltration of URL (including SSL URL) values.