Myth: It Is Difficult for an Attacker to Create a Malicious Server

When we started finding malicious response bugs using the proxying approach (using Web Proxy Editor), some developers started pushing back about the importance of these bugs . They didn t think it was practical for an attacker to create a server that would send the malformed responses. In the malicious request scenario, attackers can make manual modifications when they want to attack the server. In the malicious response scenario, attackers need to get a target to connect to their server so that they can send the malicious responses. Because attackers don t know when their victim will connect to the malicious server, automation is helpful. We wanted to show developers that it is extremely easy to create a server that would respond with the malicious data normally created in Web Proxy Editor manually. The solution was to use a small tool named EvilServer.

EvilServer

Once you find a bug manually using Web Proxy Editor, you can use the EvilServer tool (included on the companion Web site) to reproduce the bug. Web Proxy Editor logs all of the data sent through it, including modified data. EvilServer acts as a small Web server. If a client makes a request matching an entry in the Web Proxy Editor log, the corresponding response is sent back. This allows you to create in minutes a server for any malicious response you like without writing any code. Complex clients often make many requests for other server functionality before the response of interest is sent. By using Web Proxy Editor and EvilServer, you can record and replay any set of HTTP functionality to satisfy prerequisite requests and responses needed by the client.

Tip	Other simple solutions to create easily reproducible malicious server response bugs include using a language such as C , Perl, or Tcl to act as a proxy to the real server, and then only modifying responses of interest.