Jump to content

  • Log In with Google      Sign In   
  • Create Account


Intercept HTTP Request


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
5 replies to this topic

#1 Alphanumber   Members   -  Reputation: 101

Like
0Likes
Like

Posted 06 February 2012 - 08:56 AM

So there's a game I wish to build that requires me to intercept the HTTP request from a browser.

Here's how I understand an HTTP request works:
-User types in a URL or clicks on hyperlink.
-Browser sends request over wire.
-Server returns the request with a HTTP and javascript (AJAX?)
-Browser renders file.

What I want to do is the following:
-Whenever a HTTP request is made, I intercept the request to get the URL.
-Check the URL to see if the site is somewhere on a database that carries a list of all URLs and "game objects" stored on the URL. (Part of the game allows users to leave "objects" like bombs and doors on a page)
-Get the actual HTTP/javascript from the page but do not send to browser
-Modify the HTTP/javascript to display game objects on page and floaties that allow the user to do certain actions like leave objects or interact with objects
-Send modified HTTP/javascript to browser for rendering

What technologies are available for this kind of functionality? Preferably in Java.

Sponsor:

#2 Tribad   Members   -  Reputation: 801

Like
0Likes
Like

Posted 06 February 2012 - 10:00 AM

What you ask for is the functionality of a web-server with a kind of plugin mechanism to selectivily process pages through some kind of extension-library.
I did wrote such a web-server in C++. It is pretty fast but needs another step of evolution. The API is not ready for general use. But maybe I get it right within the next month. I must earn some money to pay my bills. So the web-server development must wait.

#3 Antheus   Members   -  Reputation: 2393

Like
0Likes
Like

Posted 06 February 2012 - 10:01 AM

What technologies are available for this kind of functionality?


Cross-site scripting malware does this.

Since this falls under a security issue, browsers actively introduce features which prevent such behavior. Sites also increasingly support SSL to prevent man in the middle attacks.

Think what you're asking:
- user logs into a bank account
- when they make a deposit, their request is intercepted and sent to my server
- I modify the amount from $10 to $10,000 and submit that
- I return modified response to user showing they deposited $10.


Some sites offer augmenting of pages, such as leaving comments on third-party pages.

The way they work is that you install a plugin/bookmarklet. Whenever such user visits a page, the plugin makes a request to your server, saying something like: "show me extra content for page www.example.com". Plugin then renders this on top of original page. Intercepting requests is generally not possible since it's a considerably security flaw. Such plugins do not interfere with original page, they operate completely independently and in parallel. After original page has loaded, they can examine DOM to request additional third-party information, but only reactively and passively, they are prevented from interfering with original server/client communication.

#4 ApochPiQ   Moderators   -  Reputation: 14281

Like
0Likes
Like

Posted 06 February 2012 - 12:28 PM

This is a serious security problem and likely to get you into a lot of hot water.

There do exist technologies for this but they are highly platform-dependent and certainly not accessible from Java by any stretch of the imagination. I'm very, very hesitant to post information about how to do this in a public forum, however.

#5 Alphanumber   Members   -  Reputation: 101

Like
0Likes
Like

Posted 06 February 2012 - 12:41 PM

The motivation for looking for this kind of solution is mainly to explore ways of creating essentially a "browser game" that does not need to necessarily be natively programmed for each browser (write something that processes URLs and returns the page with appropriate game content rather than writing a toolbar for every web browser).

The project I'm currently working on is, from what I understand, is a copy of PMOG (Nethernet?) where players have these game items they can leave on the page. Currently, the programmer working on the project wrote a Firefox plugin that allows "leaving things on pages". The items left on pages are stored in a database and queries are done via RESTful calls.

The idea of looking for someway to intercept the requests is to make the game "browser agnostic" so I'm researching what ways are possible.

To be clear, this project is for a University course. I am actually interested by the reaction to my post. I was not aware that some technologies that can do the necessary functions could be considered dangerous. The actual tech that my professor suggested was not some cross site scripting malware, but a proxy.

Interesting indeed.

#6 Antheus   Members   -  Reputation: 2393

Like
0Likes
Like

Posted 06 February 2012 - 01:12 PM

Currently, the programmer working on the project wrote a Firefox plugin that allows "leaving things on pages". The items left on pages are stored in a database and queries are done via RESTful calls.


This is how it's done.

The idea of looking for someway to intercept the requests is to make the game "browser agnostic" so I'm researching what ways are possible.


Very impractical.

A proxy works, as long as everyone connects through it. HTTP defines SOCKS protocol for proxies. They must be manually configured on each client that wishes to use them (making them useless for most intranets and corporate networks which use such proxies internally). A transparent proxy would also need to respect HTTP request properties to avoid caching issues.

In lab, for experiment, sure. For WAN users - not viable.

---
Third option is writing plugin in something like Greasemonkey, available in all browsers.

---

Final option is having a gateway. Users go to www.redirector.com and specify they want to visit www.foo.com. Instead of making direct connection, server requests it on their behalf. Upon receiving the result, it rewrites all links on that page to again return results via www.redirector.com.

Downside of such approach is it doesn't allow for SSL and may cause problems with cookies.

Page operators will also be alerted to such traffic and may choose to blacklist such a server, since it's one of the simplest MITM attacks. Such portals are also closely associated with spam relays and other undesirable traffic and the originating IPs get blacklisted. Common term for such technology is anonymizer, most popular sites block them and monitor for such traffic.

I was not aware that some technologies that can do the necessary functions could be considered dangerous.


If such technique were possible transparently, online commerce isn't possible anymore. That is how dangerous it is.

Considerable effort goes into making precisely such behavior impossible, so there's some technical obstacles as well as many business processes in place that control such behavior.


In lab it's trivial - just connect to a proxy. But having something like this accessible on open web is, hopefully, very difficult.

----

Finally, outside of technical issues, such rewrites violate definition of net neutrality. Net neutrality basically states that anyone relaying traffic not intended for them will not interfere with it in any way, either through traffic shaping, rewriting, by modifying it or otherwise. It's not exactly a law, but is foundation of open internet. Topics like this are quite important given recent developments around SOPA and such.

SOPA, for example, gave individuals precisely this ability - they allowed them to intercept anyone's traffic and return their own results.




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS