Protocol Not Implemented? I think there is a Minor Bug in SafeSquid's Redirect Section
Posted: Thu Aug 22, 2019 1:33 pm
ERROR !!!!!!!!
For just trying to search a URL on google.com, I got the below Error.
Protocol Not Implemented.
----------------
Analysis:
----------------
As per my Understanding,
In the Rediection Section of SafeSquid-SWG there is a Small bug.
When we enable Google SafeSearch.
To do that we Create a Profile and link it in Redirect Section
SafeSquid then Appends "&safe=active" to the User Requested URL.
While going to the Log I found out that.
In Redirect Section,
When SafeSquid Receives he FilePath
It does not parses the FilePath properly.
A small Snippet can tell you the Impact.
-------------------------------------------------------
2019 08 22 14:21:09.727 [7867] redirect: [IP: 192.168.0.17] request for
/search?q=https://www.youtube.com/feed/&source=ln ... 40&bih=325
to
/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active
In the Above Log we can see that the FilePath is not same after adding "&safe=active" to the User Requested URL.
It has changed from:
/search?q=https://www.youtube.com/feed/&source=ln ... 40&bih=325
TO:
/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active
it has somehow removed the inital: /search?q=https://www.youtube.com/
and after this.
The more interesting part is the hostname string inside FilePath also got changed.
here From youtube.com it has got converted to google.com,
have a look over here.
From This:
/search?q=https://www.youtube.com/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325
It has changed To This:
/search?q=https://www.google.com/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active
Becuase of this,
there were further parsing Flaws
Like over here:
2019 08 22 14:21:09.728 [7867] debug: network: Find_: 154 common socket /search?q=https://www.google.com:443
Which then resulted in wrong Parsng of Protocol
2019 08 22 14:21:09.781 [7867] security: [IP:192.168.0.17] Breach: protocol: /search?q=https
usually i would have done the same
get the first occurance of ":" and get the data prior to it.
Same happened over here
Data prior to ":" is /search?q=https
and this cannot be identified as a Protocol
which Resulted in SafeSquid Displaying ERROR as Protocol Not Implemented.
Full logs are displayed below.
you all can also analysis and come to an conclusion.
FULL LOG LINE:
-------------------------
2019 08 22 14:21:09.726 [7867] debug: network: ClientPool::Poll(14) activated: 1
2019 08 22 14:21:09.726 [7867] debug: header: header_get:1021 from 192.168.0.17
2019 08 22 14:21:09.727 [7867] debug: header: [IP:192.168.0.17] [request:2] header_get(client):
GET /search?q=https://www.youtube.com/feed/&source=ln ... 40&bih=325 HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: CGIC=Ij90ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjg; 1P_JAR=2019-08-22-08; NID=188=SCVi8gci4gyNVGroKj03Irm2Chcih3OIC7UJLs8iAMmq7fsQRERfSdMlatyVlrvhw6wm6UngW-CcAqsLzc-T-MvItmXHvAXhkCyv0Iqx5mY2ktSw8h3QHx8Jn-HlYX7DmOH3vsKwjl4CCJj8nqCTWkE26xGapSUfitf9HSKG-XM; OGPC=19013527-1:; ANID=AHWqTUn6ekgGfcsjszJhEQje_RhNMS5_jzmUGHg3wHBX3Z0Bn9a2rvv7v3avHPPp; DV=g13cdRELPgcggNhQRBDdE3FIGUiIy5Y3wvMubcWccwAAAAA
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
2019 08 22 14:21:09.727 [7867] debug: category: private categorization: categories :[MY GOOGLE]
2019 08 22 14:21:09.727 [7867] debug: module: ssqore:categorise www.google.com/search
2019 08 22 14:21:09.727 [7867] debug: module: ssqore:categorise [latency: 111.0000 us] [cache:hit] www.google.com/search
2019 08 22 14:21:09.727 [7867] debug: category: ssqore:rate_request www.google.com/search [categories:1]
2019 08 22 14:21:09.727 [7867] debug: category: ssqore:rate_request www.google.com/search [0/1] [Category ID:15:Search Engines & Portals]
2019 08 22 14:21:09.727 [7867] redirect: [IP: 192.168.0.17] request for /search?q=https://www.youtube.com/feed/&source=ln ... 40&bih=325 to /feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active
2019 08 22 14:21:09.728 [7867] warn: header: this was a HTTP request, it's now a proxy request
2019 08 22 14:21:09.728 [7867] redirect: [IP: 192.168.0.17] request for /search?q=https://www.google.com/feed/&source=lnm ... afe=active to /search?q=https://www.google.com/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active&safe=active
2019 08 22 14:21:09.728 [7867] debug: network: DNS[IPv4]: cache[hit] www.google.com -> 216.58.203.132
2019 08 22 14:21:09.728 [7867] debug: request: auto request for encoded content
2019 08 22 14:21:09.728 [7867] debug: network: Find_: 154 common socket /search?q=https://www.google.com:443
2019 08 22 14:21:09.728 [7867] debug: network: Connection Pool: common[miss]: /search?q=https://(null):*@www.google.com:443
2019 08 22 14:21:09.728 [7867] debug: network: DNS[IPv4]: cache[hit] www.google.com -> 216.58.203.132
2019 08 22 14:21:09.728 [7867] debug: network: net_connect_: successful [fd:19] to www.google.com:443
2019 08 22 14:21:09.728 [7867] debug: ssl: check:1236 deep scan enforced on connection
2019 08 22 14:21:09.751 [7867] debug: ssl: CTXcacheOUT::find_ctx:4538 cache[335]hit: ref[2]www.google.com
2019 08 22 14:21:09.751 [7867] debug: ssl: EncryptS:939 SSL_set_tlsext_host_name www.google.com
2019 08 22 14:21:09.781 [7867] debug: ssl: EncryptS:990 [site:www.google.com] [session cached:yes] [session reused:yes]
2019 08 22 14:21:09.781 [7867] debug: ssl: ServerEncrypt: www.google.com:443 Allowed: has ssl certificate
2019 08 22 14:21:09.781 [7867] debug: ssl: Allowed: www.google.com:443 matched certificate domainName
2019 08 22 14:21:09.781 [7867] security: [IP:192.168.0.17] Breach: protocol: /search?q=https
2019 08 22 14:21:09.782 [7867] request: [IP:192.168.0.17] blocked: www.google.com/feed/&source=lnms&tbm=is ... afe=active
2019 08 22 14:21:09.782 [7867] debug: header: header_send: -> 192.168.0.17:
HTTP/1.1 200 OK
X-Powered-By: safesquid-2019.0806.1738.3-seqrite-standard
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 29657
Connection: close
X-SafeSquid-Client-ID: 7867.2
X-SafeSquid-Profiles: ENFORCE GOOGLE SAFE SEARCH,MY IP LOGIN ALLOWED
X-SafeSquid-Categories: MY GOOGLE,Search Engines & Portals
X-SafeSquid-Request-Types: Firefox,Internet Browser,Google,Google Search,Google UnSafe Search,Google Services
X-SafeSquid-Application-Signatures: Firefox,Internet Browser,Google,Google Search,Google UnSafe Search,Google Services
X-SafeSquid-User-Groups: TESTING GROUP
X-URL-Cat: Search Engines & Portals
X-Registered-Domain: google.com
Cache-Control: no-cache
X-Template: badprotocol
Server: SafeSquid
2019 08 22 14:21:09.782 [7867] template: send:272 [IP:192.168.0.17] sent badprotocol
2019 08 22 14:21:09.783 [7867] debug: network: closesocket: _socket_:19 192.168.249.86:31413 216.58.203.132:443
2019 08 22 14:21:09.784 [7867] network: IP:192.168.0.17 fd:14 secured client disconnected after making 3 requests
2019 08 22 14:21:09.784 [7867] debug: network: closesocket: _socket_:14 192.168.249.86:8080 192.168.0.17:52006
For just trying to search a URL on google.com, I got the below Error.
Protocol Not Implemented.
----------------
Analysis:
----------------
As per my Understanding,
In the Rediection Section of SafeSquid-SWG there is a Small bug.
When we enable Google SafeSearch.
To do that we Create a Profile and link it in Redirect Section
SafeSquid then Appends "&safe=active" to the User Requested URL.
While going to the Log I found out that.
In Redirect Section,
When SafeSquid Receives he FilePath
It does not parses the FilePath properly.
A small Snippet can tell you the Impact.
-------------------------------------------------------
2019 08 22 14:21:09.727 [7867] redirect: [IP: 192.168.0.17] request for
/search?q=https://www.youtube.com/feed/&source=ln ... 40&bih=325
to
/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active
In the Above Log we can see that the FilePath is not same after adding "&safe=active" to the User Requested URL.
It has changed from:
/search?q=https://www.youtube.com/feed/&source=ln ... 40&bih=325
TO:
/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active
it has somehow removed the inital: /search?q=https://www.youtube.com/
and after this.
The more interesting part is the hostname string inside FilePath also got changed.
here From youtube.com it has got converted to google.com,
have a look over here.
From This:
/search?q=https://www.youtube.com/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325
It has changed To This:
/search?q=https://www.google.com/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active
Becuase of this,
there were further parsing Flaws
Like over here:
2019 08 22 14:21:09.728 [7867] debug: network: Find_: 154 common socket /search?q=https://www.google.com:443
Which then resulted in wrong Parsng of Protocol
2019 08 22 14:21:09.781 [7867] security: [IP:192.168.0.17] Breach: protocol: /search?q=https
usually i would have done the same
get the first occurance of ":" and get the data prior to it.
Same happened over here
Data prior to ":" is /search?q=https
and this cannot be identified as a Protocol
which Resulted in SafeSquid Displaying ERROR as Protocol Not Implemented.
Full logs are displayed below.
you all can also analysis and come to an conclusion.
FULL LOG LINE:
-------------------------
2019 08 22 14:21:09.726 [7867] debug: network: ClientPool::Poll(14) activated: 1
2019 08 22 14:21:09.726 [7867] debug: header: header_get:1021 from 192.168.0.17
2019 08 22 14:21:09.727 [7867] debug: header: [IP:192.168.0.17] [request:2] header_get(client):
GET /search?q=https://www.youtube.com/feed/&source=ln ... 40&bih=325 HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: CGIC=Ij90ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjg; 1P_JAR=2019-08-22-08; NID=188=SCVi8gci4gyNVGroKj03Irm2Chcih3OIC7UJLs8iAMmq7fsQRERfSdMlatyVlrvhw6wm6UngW-CcAqsLzc-T-MvItmXHvAXhkCyv0Iqx5mY2ktSw8h3QHx8Jn-HlYX7DmOH3vsKwjl4CCJj8nqCTWkE26xGapSUfitf9HSKG-XM; OGPC=19013527-1:; ANID=AHWqTUn6ekgGfcsjszJhEQje_RhNMS5_jzmUGHg3wHBX3Z0Bn9a2rvv7v3avHPPp; DV=g13cdRELPgcggNhQRBDdE3FIGUiIy5Y3wvMubcWccwAAAAA
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
2019 08 22 14:21:09.727 [7867] debug: category: private categorization: categories :[MY GOOGLE]
2019 08 22 14:21:09.727 [7867] debug: module: ssqore:categorise www.google.com/search
2019 08 22 14:21:09.727 [7867] debug: module: ssqore:categorise [latency: 111.0000 us] [cache:hit] www.google.com/search
2019 08 22 14:21:09.727 [7867] debug: category: ssqore:rate_request www.google.com/search [categories:1]
2019 08 22 14:21:09.727 [7867] debug: category: ssqore:rate_request www.google.com/search [0/1] [Category ID:15:Search Engines & Portals]
2019 08 22 14:21:09.727 [7867] redirect: [IP: 192.168.0.17] request for /search?q=https://www.youtube.com/feed/&source=ln ... 40&bih=325 to /feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active
2019 08 22 14:21:09.728 [7867] warn: header: this was a HTTP request, it's now a proxy request
2019 08 22 14:21:09.728 [7867] redirect: [IP: 192.168.0.17] request for /search?q=https://www.google.com/feed/&source=lnm ... afe=active to /search?q=https://www.google.com/feed/&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjf9r6sjJbkAhVQmI8KHdd-BPkQ_AUIEygD&biw=1440&bih=325&safe=active&safe=active
2019 08 22 14:21:09.728 [7867] debug: network: DNS[IPv4]: cache[hit] www.google.com -> 216.58.203.132
2019 08 22 14:21:09.728 [7867] debug: request: auto request for encoded content
2019 08 22 14:21:09.728 [7867] debug: network: Find_: 154 common socket /search?q=https://www.google.com:443
2019 08 22 14:21:09.728 [7867] debug: network: Connection Pool: common[miss]: /search?q=https://(null):*@www.google.com:443
2019 08 22 14:21:09.728 [7867] debug: network: DNS[IPv4]: cache[hit] www.google.com -> 216.58.203.132
2019 08 22 14:21:09.728 [7867] debug: network: net_connect_: successful [fd:19] to www.google.com:443
2019 08 22 14:21:09.728 [7867] debug: ssl: check:1236 deep scan enforced on connection
2019 08 22 14:21:09.751 [7867] debug: ssl: CTXcacheOUT::find_ctx:4538 cache[335]hit: ref[2]www.google.com
2019 08 22 14:21:09.751 [7867] debug: ssl: EncryptS:939 SSL_set_tlsext_host_name www.google.com
2019 08 22 14:21:09.781 [7867] debug: ssl: EncryptS:990 [site:www.google.com] [session cached:yes] [session reused:yes]
2019 08 22 14:21:09.781 [7867] debug: ssl: ServerEncrypt: www.google.com:443 Allowed: has ssl certificate
2019 08 22 14:21:09.781 [7867] debug: ssl: Allowed: www.google.com:443 matched certificate domainName
2019 08 22 14:21:09.781 [7867] security: [IP:192.168.0.17] Breach: protocol: /search?q=https
2019 08 22 14:21:09.782 [7867] request: [IP:192.168.0.17] blocked: www.google.com/feed/&source=lnms&tbm=is ... afe=active
2019 08 22 14:21:09.782 [7867] debug: header: header_send: -> 192.168.0.17:
HTTP/1.1 200 OK
X-Powered-By: safesquid-2019.0806.1738.3-seqrite-standard
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 29657
Connection: close
X-SafeSquid-Client-ID: 7867.2
X-SafeSquid-Profiles: ENFORCE GOOGLE SAFE SEARCH,MY IP LOGIN ALLOWED
X-SafeSquid-Categories: MY GOOGLE,Search Engines & Portals
X-SafeSquid-Request-Types: Firefox,Internet Browser,Google,Google Search,Google UnSafe Search,Google Services
X-SafeSquid-Application-Signatures: Firefox,Internet Browser,Google,Google Search,Google UnSafe Search,Google Services
X-SafeSquid-User-Groups: TESTING GROUP
X-URL-Cat: Search Engines & Portals
X-Registered-Domain: google.com
Cache-Control: no-cache
X-Template: badprotocol
Server: SafeSquid
2019 08 22 14:21:09.782 [7867] template: send:272 [IP:192.168.0.17] sent badprotocol
2019 08 22 14:21:09.783 [7867] debug: network: closesocket: _socket_:19 192.168.249.86:31413 216.58.203.132:443
2019 08 22 14:21:09.784 [7867] network: IP:192.168.0.17 fd:14 secured client disconnected after making 3 requests
2019 08 22 14:21:09.784 [7867] debug: network: closesocket: _socket_:14 192.168.249.86:8080 192.168.0.17:52006