MalaRIA CORS connector

By Krzysztof Kotowicz

WebSocket malaRIA server URL:

About

MalaRIA

This is the MalaRIA connector. MalaRIA is a proof-of-concept made by Erlend Oftedal for a proxy abusing unrestricted cross domain policies. It's made of two parts: the Flash/Silverlight connector(s) launched on a victim browser, and a Java-based server. Victim visits the page with the connector, it establishes connection with server and from now on victim's browser can be used as a proxy by the attacker (Flash/Sliverlight processes the requests from the MalaRIA server and sends the responses back). Attacker controls MalaRIA in his browser by simply pointing to the HTTP proxy opened by MalaRIA.

This connector

Originally MalaRIA demonstrated that permissive crossdomain.xml files are bad (because attacker can read it e.g. via the MalaRIA proxy). But as I'm a HTML5 guy, I decided to create a connector compatible with my cors-proxy-browser, which can use CORS instead of flash. To communicate with MalaRIA I use WebSocket (because I don't have raw flash/silverlight sockets available). And that's it. Now you can use MalaRIA with only HTML5 power.

Requirements

Usage

  1. Launch MalaRIA server and make it a WebSocket server
        $ cd MalaRIA-Proxy/proxy-backend
        $ javac malaria/*.java
        $ sudo java malaria.MalariaServer localhost 8081 8080 # launch malaria server with HTTP proxy on 8080 and connector proxy on 8081 
        [2nd shell]
        $ cd websockify
        $ ./websockity 8082 localhost:8081 # forward WebSocket connection via TCP to MalaRIA running on 8081    
        
  2. Point your victim browser to this page
  3. Press 'start' to open WebSocket connection (use websockify port 8082)
  4. Set HTTP proxy on attacker's browser to localhost:8080
  5. Use attacker browser to navigate through victim browser (usual MalaRIA stuff). URLs have to be same domain as connector () or have CORS headers.

Issues

Alpha quality. Use with caution. Fetching binary files works most likely with Chrome only.