Thursday, April 4, 2013

How to get the HTTPS headers?

Long-time sniffers remember tracking HTTP headers down the wire using Ethereal (now Wireshark), but this has become impossible in environments where everything is encrypted (HTTPS).

In such environments, tracking headers means monitoring either directly within the server process (difficult in clouds), or within the client process (typically a browser).

Recently I had to reverse-engineer the convoluted authentication to the CMIS endpoint of a Sharepoint server. Below is my tale, and the tools I tried (spoiler: only the last one did the job).

Contestant 1: Chrome Developer Tools

In Chrome, I start Incognito mode (CTRL-SHIFT-N) to make sure no saved passwords/cookies interfere, fire up the Developer Tools (CTRL-SHIFT-I), select "Network" to see the requests, and launch the request.

As seen in the screenshot below, Chrome shows the conversation between client and server. Something sounds fishy: Only 2 requests, and the last one is marked as "canceled" even though download succeded... let's try another tool!

Contestant 2: Firefox Web Console

In Firefox, I start Private Browsing mode (CTRL-SHIFT-P), fire up the Web Console (CTRL-SHIFT-K), unselect everything but "Net", and launch the request.

Firefox wins over Chrome by showing the right number of requests (four):

Now to the job: Getting the HTTPS headers!
I click on a request, and something awful happens: a totally unusable window appears, displaying what I need (request headers and response headers), but preventing me from copy-pasting it.

Mouse selection goes crazy, and copying everything results in an unusable long string containing everything aggregated without spaces [1]. Not to mention the inexact timestamp [2], the content that does not scale with the window [3], and the weird titles font style [4].

Fine if you just want to see the headers, but real hackers want to script-parse and diff the headers, right? Next!

Winner: Httpfox

In Firefox, after having installed the Httpfox extension, I start Private Browsing, fire up Httpfox (SHIFT-F2), press "Start", and launch the request.
The lower part shows the headers, and copying them is accessible via the context menu... perfect!

Conclusion: Httpfox is the easiest way to get HTTPS headers.
If you know any other convenient tool, please let us know in the comments!
Nicolas Raoul

No comments: