start proxy server on docker containers for http request from host

I have a docker container connected to a VPN, but sometimes i need to open a URL on browser for debug.

I cannot run the VPN on my host machine for security reasons, specifically i want to open the URL in my host machine and intercept request with BURP Suite, i already tried some “python proxy servers” from github to start a proxy on my docker machine and connect my host to it, without success.

Someone did something similar?. any ideas?

PD. sorry for my english. 🙂

How does a HTTP client authenticate itself with a HTTP server?

Is it correct that there are various ways that a HTTP client can authenticate itself with a HTTP server?

Are the following such ways?

  1. authorization header: for various authorization protocols (e.g. basic, digest, …)

  2. digital certificates: as used in HTTPS.

  3. specify user name and passwords in HTTP request’s message body, by applying HTTP POST method on form data

Are they used individually or together? Are they used for the same or different purposes? When is each way used?

In the second way, is digital certificates specified in some HTTP request header(s)? (In curl, it is specified via --cerf)

In the third way, when specify user name and passwords in HTTP request’s message body, are they encrypted? Does the server know how to decrypt them?

Is the HTTP method OPTIONS secure nowadays?

I’ve read How to exploit HTTP Methods:

OPTIONS – this is a diagnostic method, which returns a message useful mainly for debugging and the like. This message basically reports, surprisingly, which HTTP Methods are active on the webserver. In reality, this is rarely used nowadays for legitimate purposes, but it does grant a potential attacker a little bit of help: it can be considered a shortcut to find another hole.

Now, this by itself is not really a vulnerability; but since there is no real use for it, it just affects your attack surface, and ideally should be disabled. NOTE: Despite the above, OPTIONS method IS used for several legitimate purposes nowadays, for example some REST APIs require an OPTIONS request, CORS requires pre-flight requests, and so on. So there definitely are scenarios wherein OPTIONS should be enabled, but the default should still be “disabled unless required”.

This post is a bit old now. What’s up today with the OPTIONS methods? Most of the scans show that it’s a vulnerability. It is really dangerous?

I have no choice to use OPTIONS for some of my apps. What can I do to secure it?

Secure HTTP Headers – where should be implemented, WAF or code level?

I have an REST API exposed to the Internet and another application with form-based authentication.

These apps are behind Web Application Firewall.

Question is, where I should implement below Secure HTTP Headers, on WAF or Code level?

X-XSS-Protection X-Frame-Options X-Content-Type-Options X-Permitted-Cross-Domain-Policies HTTP Strict Transport Security HTTP Public Key Pinning Content Security Policy Referrer Policy Feature-Policy

Strange HTTP request from binaryedge.ninja

I found the following strange HTTP request apparently emanating from binaryedge.ninja:

 min-li-ustx-12-13-65991-x-prod.binaryedge.ninja - - [05/Jan/2020:07:18:48 -0500] "GET / HTTP/1.0" 302 212 "-" "-"  min-extra-grab-108-ustx-prod.binaryedge.ninja - - [05/Jan/2020:07:18:52 -0500] "GET / HTTP/1.0" 302 212 "-" "-"  min-extra-grab-108-ustx-prod.binaryedge.ninja - - [05/Jan/2020:07:18:54 -0500] "HELP" 400 226 "-" "-"  min-extra-grab-108-ustx-prod.binaryedge.ninja - - [05/Jan/2020:07:18:54 -0500] "\x1b\x84\xd5\xb0]\xf4\xc4\x93\xc50\xc2X\x8c\xda\xb1\xd7\xac\xafn\x1d\xe1\x1e\x1a3*\x85\xb7\x1d'\xb1\xc9k\xbf\xf0\xbc" 400 226 "-" "-"  min-extra-grab-108-ustx-prod.binaryedge.ninja - - [05/Jan/2020:07:18:56 -0500] "\x16\x03\x01" 400 226 "-" "-"  min-extra-grab-108-ustx-prod.binaryedge.ninja - - [05/Jan/2020:07:18:58 -0500] "\xbd\xff\x9e\xffE\xff\x9e\xff\xbd\xff\x9e\xff\xa4\xff\x86\xff\xc4\xff\xbe\xff\xc7\xff\xdb\xff\xee\xffx\d9\xff\xed\xff\xa4\xff\x9d\xff\xcf\xff\xd8\xff\xe5\xff\x04\xff\x12\xff0\xff\xb1\xff\xbd\xff\xe7\xff\xe2\xff\xdd\xff\xdc\xff\xde\xff\xc8\xff\xcc\xff\xbe\xff\xf8\xff&\xff\x01\xff\x0f\xff\xf5\xff\x06\xff\xff\xff\xf7\xff!\xff\xde\xff\x02\xff&\xff\x0c\xff\x01\xff\xf5\xff" 400 226 "-" "-" 

Looking around the web, I see similar log messages on other publicly visible web logs and one suggesting some connection to Gh0st.

Anyone have any idea what this is, and by this company would appear to be attacking my server and others?

Unknown hash from plaintext HTTP POST request

I was intercepting some HTTP POST requests while doing some pentests for the company i work for and i found this POST request:

{"username-enc":"a5389f74e655a7f6c0526a84eb2137e0d310d5418db630fa","password-enc":"a5f2151cc46354c6f83b437d330cfb4af99744f97ba39914"} 

I ran this through several hashing sites to see if it was a simple MD5 or SHA1 but no luck.

Some backstory…this was from some authentication via an inductive automation app.

Hydra HTTP Form Post with parameters containing a colon “:”

I’m trying to brute force login on my domain using THC Hydra v9.1-dev. It is using an ASP.net form and some of the required post body parameters contain a colon : in them which is the separator used by Hydra. An example parameter: _ctl0:PlaceHolder:LoginName:txtLoginUsername=^USER^.

This makes hydra think that I have _ctl0 as the first part and Placeholder as the error message.

I tried:

  • URL encoding them, e.g this becomes: _ctl0%3APlaceHolder%3ALoginName%3AtxtLoginUsername=^USER^
  • replacing : with a \:
  • placing the parameter in quotation marks ""

but none of them worked and I can’t seem to find a way to change the separator.

Any help is much appreciated!