i monitored the traffic of an app with fiddler.
The app sends some requests to the server.
This requests should contain a device ID and the current firmeware version of the device
But for only this information the request is much to big.
Here are tow requests i recorded:
example 1:
Cl1YuDjQu+tK3K1S+A1gevyMuL2orViK3ViK3T8yuW8qsmHwuT8k2T8y5THv3T5i2msisvtl2mNW5m2rtKkrtWLxrnVlu+2rtMZrtM/v2mOl3T8y2Mtk5MIrtKkrtX2ZuvyIBaLluLiK3ViK2Gsi5DtlsG8k5mBVsGsksmtyuMuWsmHxuMjMsmuV5v/w2TLV2mrqujiKF0tdtW1huaQK3K1S+A1irWPQBD2o0O7rtMZrtMtk5T5k2MJi5TJo+Atd+A1Qu+uZsvLDu+1mpDPg+Atz+Atx6Msg5LiK6jiKunLvpD2V0O7rtMZrtV8o3G/l2GNsLVNu+A1PtXo=
example 2:
Cl1YuDjQu+tK3K1S+A1gevyMuL2orViK3ViKunuIuTrvuWLW5D1M2TQkuMVV5GuI5vuW3D5w5GQkuTVrtKkrtWLxrnVlu+2rtMZrtM/v2mOl3Tsi3T8y5mBrtKkrtX2ZuvyIBaLluLiK3ViK5mHy3n2M2v/q5MtouG/v3GJi5GtisGsy2Mtksmsm2TuVuWsosGHq5jiKF0tdtW1huaQK3K1S+A1irWPQBD2o0O7rtMZrtMtk5T5k2MJi5TJo+Atd+A1Qu+uZsvLDu+1mpDPg+Atz+Atx6Msg5LiK6jiKunLvpD2V0O7rtMZrtV8o3G/l2GBG7OIG+A1PtXo=
example 1 was for device id: T491250XVPY
example 2 was for device id: T491257SEHS
I would like to know which additional informations are send to the server.
How could i decode the data send to the server?
I allready tried to decode it with base64 and urldecode but the results does not contain the device ids.
Related
I want to create an application that works as a "man in the middle" to analyze a protocol (ISO 8583) sent over TCP/IP.
A client connects to the application and sends some binary data (average length 500 bytes).
The application receives the message and then sends it to the real server.
The server responds to the request to the application.
The application sends the response to the original client.
Some context: The main idea is to get the raw binary data and convert it to a string for parsing and decoding the protocol.
There are two parts to the project:
The gateway part (man in the middle).
Parsing and decoding of the data.
I am expending too much time on the first part. So, if there is a mock-up that I can use to get me started, it will be nice. It doesn't have to be with Indy, but I prefer C++Builder.
This is my first time with Indy, and although I have experience working with TCP/IP, I have always used it as something that is already there, never at the low-level implementation.
I am testing with Hercules, and so far I can see the connections.
When I connect to a server in Hercules, I can see that my application is connecting. But, when my application disconnects, I don't see a message that says so, which means (I think) that my app is not disconnecting correctly (but I can reconnect as many times as I want).
I am sending data to my application using Hercules (a "Hello" string). It is working apparently, but I am having a hard time getting the actual data.
The documentation sometimes gets me into dead links, there are no samples or they are available on Delphi.
I am working with the following:
Windows 11 Home
Embarcadero® C++Builder 10.4 Version 27.0.40680.4203
Delphi and C++ Builder 10.4 Update 2
Indy 10.6.2.0
Have a look at Indy's TIdMappedPortTCP component. It is a TCP server that acts as a MITM proxy between clients and a specified server, giving you events when either party sends raw data.
Use the Bindings collection, or DefaultPort property, to specify the local IP/Port(s) that you want the server to listen for clients on.
Use the MappedHost and MappedPort properties to specify the remote server that you want TIdMappedPortTCP to connect to.
The OnBeforeConnect event is fired when a client has connected to TIdMappePortTCP.
The OnConnect event is fired just before TIdMappedPortTCP attempts to connect to the remote server.
The OnOutboundClientConnect event is fired when TIdMappedPortTCP has connected to the remote server.
The OnExecute event is fired when a client send bytes to TIdMappedPortTCP, and before the bytes are sent to the remote server. The event can alter the bytes, if desired.
The OnOutboundData event is fired when the remote server send bytes to TIdMappedPortTCP, and before the bytes are sent to the client. The event can alter the bytes, if desired.
I have 2 servers lets name them serverA and serverFirebase
serverA has no internet access and only accessible in a local network and it hosts a .net application
serverFirebase is google firebase server
i need to send a request from serverA to serverFirebase but i can't because serverA has no internet access
the solution that came to my mind is that since the browser (that shows the web app from serverA) has internet access i could proxy my request using his browser
so it would be like this
serverA -> browser -> serverFirebase
now the way that i wanna do this is like this:
1 - create a rsa key pair and have the private key in serverA and the public key in serverFirebase
2 - in serverA create a sha256 hash of the request payload and padd it and sign it using the priavte key (note that the request payload has an order number that can only be used once)
3 - send the payload and the signed hash to browser
4 - send the payload and the signed hash from borwser to serverFirebase
5 - in serverFirebase decrypt the signed hash using the public key and compare it to the hash of the payload and check that the order number hasn't been used before
my question is that is this method secure enough? and if there are any protocols to handle this situation already.
thanks
I think that depends on your threat model and who you expect your attackers to be and what you are assuming about the environment.
Without making this too complicated, one avenue of attack that comes to mind is man-in-the-middle between the browser and the serverFirebase. An attacker can potentially just read the messages you're generating on serverA and store it. Since he can read your messages (you're only signing the digest and leaving the payload itself unencrypted), he knows what they say and send the messages he wants, in an ordering that he wants, and whenever he wants.
If for example, your first message is buy 200 shares of Penny Stock and your next message is sell 100 shares of Penny Stock. The attacker can potentially only relay the first message and not the second.
I came across the term HTTP. I have done some research and wanted to ensure that I correctly understood the term.
So, is it true that HTTP, in simple words, a letter containing information in the language that both client and server can understand.
Then, that letter is sent to the server thanks to TCP/IP which serves as a car that takes that letter to the server.
Then, after the letter is delivered to the server, the server reads the content of the letter and if it is GET request, the server takes the necessary data and ATTACHES that data to the letter and sends back to the client via again TCP/IP. But if it was POST request then the client ATTACHES the DATA to the letter and sends it to the server so that it saves that data in the database.
Is that true?
Basically, it is true.
However, the server can decide what to do if it is a GET or POST or any other request(it doesn't need to e.g. append it to a file).
I will show you some additional information/try to explain it in my words:
TCP is another communication protocol protocol. It allows a client to open a connection to a server and they can communicate afterwards.
HTTP(hyper text transfer protocol) builds up on TCP.
At first, the client opens a connection to the server.
After that, the client sends the HTTP Request. The first line contains the type of the request, the path and the version. For example, it could be GET / HTTP/1.1.
The next part of the request contains the Request parameters. Every parameter is a line. The parameters are sent like the following: paramName: paramValue
This part of the request ends with an empty line.
If it is a POST Request, query parameters are added next. If it is a GET Request, these query parameters are added with the path(e.g. /index.html?paramName=paramValue)
After rescieving the Request, the server sends a HTTP Response back to the client.
The first line of the response contains the HTTP version, the status code and the status message. For example, it could be HTTP/1.1 200 OK.
Then, just like in the request, the response parameters are following. For example Content-Length: 1024.
The response parameters also end with an empty line.
The last part of the response is the body/content. For example, this could be the HTML code of the website you are visiting.
Obviously, the length of the content/body of the response has to match the Content-Length parameter(in bytes).
After that, the connection will be closed(normally). If the client to e.g. request resources, it will send another request. The server has NO POSSIBILITY to send data to the client after that unless the client sends another request(websockets can bypass this issue).
GET is meant to get the content of a site A web browser will send a GET request if you type in a URL. POST can be used to update a site but in fact, the server can decide that. POST can be also used if the server doesn't want query parameters to be shown in the address bar.
There are other methods like PATCH or DELETE that are used by some APIs.
Some important status codes (and status messages) are:
200 OK (everything went well)
204 No content (like ok but there is no body in the response)
400 Bad Request (something is wrong with the Request)
404 Not found (the requested file(the path) was not found on the server)
500 Internal server error (An error occured while processing the request)
Every status code beginning with 1 is related to inform the client of something.
If it is starting with 2, everything went right.
Status code beginning with 3 forward the client to another site.
If it starts with 4, there is a error on the client side.
Codes starting with 5 represent an error that occured on the server side.
TCP is a network protocol that establishes a connection with the server over a network (or the Internet) and allows two-way communication. The HTTP will traffic inside this TCP tunnel. TCP is a very useful protocol that helps keep things sane, it ensures data packets are read in the correct order and that packets that went missing during transmission are sent again.
Sometimes there will be another protocol layer between HTTP and TCP, called SSL. It is responsible for encrypting the data that traffics over TCP, so that it is transmitted safely over unsafe networks. This is know as HTTPS, and is just HTTP but using this additional layer.
Although almost always true, HTTP doesn't necessarily uses TCP. UPnP requests use HTTP over UDP, a network protocol that uses standalone packets instead of a connection.
HTTP is a plain text protocol, meaning it's designed in such a way that a human can understand it without using any tools. This is very convenient for learning.
If you're using Firefox or Chrome, you can press Ctrl-Shift-C to open the Developer Tools, and under the Network tab you will see every HTTP request your browser is making, see exactly what's the request, what the server answered etc, and get a better view of how this protocol works.
Explaining it in details is... too extensive for this answer. But as you will see it's not that complicated.
Say i make the web request(www.amazon.com) to amazon web server through browser. Browser makes the connection with Internet through Internet service providers.
Request reaches to amazon server which process it and send back the response. Two questions here :-
Does Amazon server makes new connection with internet to send the response back or incoming request(initiated by me) waits on socket till amazon process the response ?
Once my browser receives the response how does it map the response(sent from amazon) back to particular request . I believe there must be some unique identifier like
requestId must be present in response through which browser must be mapping to request. Is that correct ?
Does Amazon server makes new connection with internet to send the response back or incoming request(initiated by me) waits on socket
till amazon process the response ?
It uses the same connection. Most of the time it's not even possible to connect back to a web browser due to firewall restrictions or Network Address Translation (NAT).
Once my browser receives the request how does it map the response(sent from amazon) back to particular request . I believe
there must be some unique identifier like requestId must be present in
response through which browser must be mapping to request. Is that
correct ?
It receives the response on the same socket. So the socket is the identifier. If HTTP2 multiplexing is used, then each multiplexed stream has a stream identifier, which is used to map the response back to the request.
The client opens a TCP-connection to the server, sends an HTTP-request and the server sends the response using the same connection. So, the browser knows from the connection that the response belongs to a specific request. This applies to basic HTTP 1.
This has to be distinguished from the programming model of an AJAX web application which is asynchronous and not synchronous. The application does not actively wait for a response. It is instead triggered later when the response arrives. The connection handling described above is what happens "under the hood".
Back to the connection handling: There are optimizations of HTTP that make things more complicated. HTTP 1.1 has a feature called "keep alive" and HTTP 2 goes further into this direction. The idea is to send more data over a single TCP-connection because establishing a TCP-connection is expensive (-> three way handshake, slow start). So, multiple requests and responses are sent over a single TCP-connection. Your question arises again in case of this optimization. If e. g. there is a sequence of requests A, B and a sequence of corresponding responses B, A within a single HTTP-connection how does the browser know the request a response belongs to? HTTP 2 introduces the concept of streams (RFC 7540, section 5):
A single HTTP/2 connection can contain multiple concurrently open
streams, with either endpoint interleaving frames from multiple
streams.
The order in which frames are sent on a stream is significant.
Streams are identified by an integer.
So, the stream identifier and the order within a stream can be used by the browser to find out the request a response belongs to.
HTTP 2 introduces another interesting feature which is called "push". The client can proactively send resources to the client that the client has not even requested. So, resources like e. g. images can be already sent when the HTML is requested avoiding another communication roundtrip.
HTTP uses Transfer Control Protocol. This is how it happens-
Does Amazon server makes new connection with internet to send the response back or incoming request(initiated by me) waits on socket till amazon process the response ?
No. Most browsers use HTTP 1.1 so the connection between client and server is established only once until closed (Persistent connection).
Once my browser receives the request how does it map the response(sent from amazon) back to particular request . I believe there must be some unique identifier like requestId must be present in response through which browser must be mapping to request. Is that correct ?
There is a protocol(HTTP) on how the messages are exchanged. HTTP dictates that responses must arrive in the order they were requested. So it goes like-
Request;Response;Request;Response;Request;Response;...
And there is also a specific format of HTTP request (from your browser- HTTP client) and HTTP response message (from amazon HTTP server). There are response status codes that let the browser know if their request has been succeeded, otherwise tell the errors.
A few sample codes-
is it possible to find out the connection speed of the client when it requests a page on my website.
i want to serve video files but depending on how fast the clients network is i would like to serve higher or lower quality videos. google analytics is showing me the clients connection types, how can i find out what kind of network the visitor is connected to?
thx
No, there's no feasible way to detect this server-side short of monitoring the network stream's send buffer while streaming something. If you can switch quality mid-stream, this is a viable approach because if the user's Internet connection suddenly gets burdened by a download you could detect this and switch to a lower-quality stream.
But if you just want to detect the speed initially, you'd be better off doing this detection on the client and sending the results to the server with the video request.
Assign each request a token /videos/data.flv?token=uuid123, and calculate amount of data your webserver sends for this token per second (possible check for multiple tokens at one username at a time period). You can do this with Apache sources and APR.