Intercepting and modifying HTTP uploads

Sniffing traffic is relatively easy enough. You just fire Wireshark up and look at the packets. Intercepting traffic and modifying it in real time is something that caught my attention, especially from an average user perspective. When you cannot trust users on your network of properly handling data in relation with filesharing services/cloud services, or you just want an easy way for them to upload encrypted data instead of plain-text, modifying their traffic on the fly is the way to go.

This is a proof-of-concept, where i’m using mitmproxy and Filedropper to show how easily can files be modified while being uploading and downloading to and from different filesharing services.

How does it happen

The first thing in my mind was to see what kind requests are being sent when uploading a file on Filedropper. As we can see in the picture below, in order to upload a file, a POST request is being sent. Notice that the content type is “application/octet-stream”.

httpheaders-upload

In order to download a file, another POST request is being sent, this time with a content type of “multipart/form-data”.

 

httpheaders-download

The reason why I am looking for the content type is that I need a filter expression in mitmproxy that will only intercept the requests that I want.

Setting up mitmproxy

MITMproxy is a transparent proxy written in python. I did my tests locally but this can also be done with another device on the network. Installation instruction can be found in the mitmproxy docs.

The following command will launch mitmproxy in normal proxy mode and it will bind it to the host:

mitmproxy –host

By default, mitmproxy runs on port 8080 so for the local test we will need to add the proxy settings in our browser, by adding our localhost and the default port : 127.0.0.1:8080. I used Chromium with the FoxyProxy which lets me turn the proxy settings on and off easily.

In order for us to see the requests that are being sent we will set up interception filters that will stop the packets from continuing to their destination. After launching mitmproxy, press “i” without the quotes.

mitmproxy-intercept

A new line will appear like in the picture above and the interception filters can be written.

  •  ~q & ~t “multipart/form-data” –  will intercept all requests that have the content type “multipart/form-data”
  •  ~s & ~t “application/octet-stream” – will match any response which has the content type “multipart/form-data”
  •  (~q & ~t “multipart/form-data”) | (~s & ~t “application/octet-stream”) – will intercept what either one of the 2 filters from above are intercepting

Packets that will be intercepted will not reach their destination until the user will let them. This can be done by pressing “a”.

The next step is to set up some replacing patterns.By pressing “R” ( shift+r), a new window will be opened where we can add our replacement patterns. Every entry will replace the text from the second column with the text from the third, only on packets that are intercepted by the filter in the first column.

mitmproxy-replace

Now that we have everything in place, try uploading a file on Filedropper and see what pops on mitmproxy. Check the video below to see how it worked for me.