Go phishing: Extending the proxy

Designing the plugin architecture and lifecycle

To make plugins work, we first need to define a contract for plugins to implement. Plugins may need to do some kind of setup, like reading configuration from command line flags, and they will need to process each HTTP request-response transaction.

Initialize

When Judas starts, it will call every installed plugin’s Initialize function before any command line arguments are passed, or servers are created. Initialize can be used to define command line arguments, or read configuration data from a file.

ProcessTransactions

When the listener starts, Judas creates a channel and passes each request-response pair to it. This channel is shared between the intercepting proxy and plugins. Every plugin’s ProcessTransaction method will be run in a separate goroutine to prevent slow plugins from blocking others.

Name

This function returns the name of the plugin. It is used for debugging purposes.

Finding and running the plugins

Judas looks for .so files in the same directory as the judas executable. Plugins are stored in memory as a mapping of plugins to their arguments.

Creating a plugin

Creating plugins is pretty straightforward. A Judas plugin must expose a variable named “Plugin” that implements Plugin.

go build -buildmode=plugin -o loggingplugin.so bundled/loggingplugin.go
Machine:judas user$ file loggingplugin.so
loggingplugin.so: Mach-O 64-bit dynamically linked shared library x86_64

Limitations

  • As of Go 1.10, plugins are only supported on Mac OS X and Linux. It is not clear when Windows will be supported.
  • Plugin code is run in the same process, meaning if a plugin panics, it will crash the entire program.
  • There is no support for cryptographically signed plugins. Since the plugin API accepts a filename, it will be difficult to add signed plugins without creating TOCTOU vulnerabilities.

--

--

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Cooper

Jonathan Cooper

264 Followers

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.