Go phishing: Extending the proxy

In the last post, Judas got SOCKS proxy and SSL support to make the proxy sneakier, but all the proxy can do is dump the requests and responses to the console. What if the red teamer wants to send the requests to a logging REST API? Luckily, Go can help with its plugin standard library package.

Designing the plugin architecture and lifecycle

Plugins simply have to implement the Plugin interface, found in github.com/joncooperworks/judas/plugins, and Judas will cast it to a Plugin before returning it to the rest of the program.

Initialize

ProcessTransactions

Name

Finding and running the plugins

This map is later used to pass each plugin the HTTPTransaction channel, and the arguments returned from Initialize.

Creating a plugin

Go plugins must have package main, but do not require a main method. The plugin below logs every request and response received to the console, but could send data to another service for logging or further processing.

To create a plugin, simply pass the -buildmode=plugin flag to go build.

go build -buildmode=plugin -o loggingplugin.so bundled/loggingplugin.go

This will produce a binary, loggingplugin.so in the current working directory.

Machine:judas user$ file loggingplugin.so
loggingplugin.so: Mach-O 64-bit dynamically linked shared library x86_64

Limitations

  • Plugin code is run in the same process, meaning if a plugin panics, it will crash the entire program.
  • There is no support for cryptographically signed plugins. Since the plugin API accepts a filename, it will be difficult to add signed plugins without creating TOCTOU vulnerabilities.

Liked this post and want to leave a tip?

BTC: 3AubYUbbzEZ1ETnFWVjBHzXio47cdVERSj

ETH: 0x2D687E2234c2e9A7cC9Ef3CCD1eD4AC249EA6aCd

--

--

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Cooper

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.