By Krzysztof KotowiczWebSocket malaRIA server URL:
This is the MalaRIA connector. MalaRIA is a proof-of-concept made by Erlend Oftedal for a proxy abusing unrestricted cross domain policies. It's made of two parts: the Flash/Silverlight connector(s) launched on a victim browser, and a Java-based server. Victim visits the page with the connector, it establishes connection with server and from now on victim's browser can be used as a proxy by the attacker (Flash/Sliverlight processes the requests from the MalaRIA server and sends the responses back). Attacker controls MalaRIA in his browser by simply pointing to the HTTP proxy opened by MalaRIA.
Originally MalaRIA demonstrated that permissive
crossdomain.xml files are bad (because attacker can read it e.g. via the MalaRIA proxy).
But as I'm a HTML5 guy, I decided to create a connector compatible with my cors-proxy-browser, which can use CORS instead of flash.
To communicate with MalaRIA I use WebSocket (because I don't have raw flash/silverlight sockets available). And that's it. Now you can use MalaRIA with only HTML5 power.
$ cd MalaRIA-Proxy/proxy-backend $ javac malaria/*.java $ sudo java malaria.MalariaServer localhost 8081 8080 # launch malaria server with HTTP proxy on 8080 and connector proxy on 8081 [2nd shell] $ cd websockify $ ./websockity 8082 localhost:8081 # forward WebSocket connection via TCP to MalaRIA running on 8081
) or have CORS headers.
Alpha quality. Use with caution. Fetching binary files works most likely with Chrome only.