-1

Let say, I make a call to a HTTPS server. THe server send me back http response. Is there a way I can change the http response in the client side? (i.e. any javascript..etc)

Thanks.

--- UPDATE ----

Well, for HTTP request, let say a javascript making a ajax call with query=123456. Of course, I can intercept it and change query=123456 before it is sent it out. (if I want to hack).

But, when the http response come back, is it possible that I can intercept the data and change it before it reach the browser. assuming that it is HTTPS.

--- More ---

The actual program I am writing require the data from server be secured. because the javascript code will be public (thus anyone can inject into their page), I have to make sure the response data sent from my server will be the same as the one the javascript side receive it.

sorry for the initial question not being clear. :)

murvinlai
  • 48,919
  • 52
  • 129
  • 177
  • 2
    I am confused to what you are requesting. Once the request has been processed by the browser, you can make whatever changes to the page, but I do not think you can intercept and change the request before it reaches to the browser. – Nican Aug 18 '11 at 23:05
  • How would you want to change the response? Could you include examples? – David Weiser Aug 18 '11 at 23:05
  • Clarify please, as of now it makes no sense. – President James K. Polk Aug 18 '11 at 23:10
  • Do you want to do this by hand, for debugging purposes, or programmatically? – deceze Aug 18 '11 at 23:24
  • Well, I don't have a code to do it. I want to know if it is possible or not. so, in my code, I am damn so sure that the data coming from server will not be changed by anyone. – murvinlai Aug 18 '11 at 23:26

2 Answers2

3

The best you can do is make sure the data sent from the server is correct. That's all. On the client side, all bets are off by definition. If the connection to the server is SSL secured, it's harder for anybody to mess with the data, but by far not impossible. One of the advantages of an HTTPS connection is that the identity of the server is confirmed. That's displayed to the user in form of a security lock or a green address bar or whatnot. And conversely, when a certificate is invalid, the browser will complain to the user about it. It's completely up to the user to notice or disregard all that though.

Javascript can be manipulated on the client or by a man-in-the-middle attack between your server and the client, data can be manipulated the same way, there's no guarantee for anything on the client side. Which is why the client should never be entrusted to do anything of importance, the server needs to have the last say in anything. SSL can help indicate to the user whether a connection is trusted or not, but it's no guarantee.

deceze
  • 510,633
  • 85
  • 743
  • 889
1

You can create a proxy and have your traffic go through the proxy. The proxy would have to, using the proper certificate, "decrypt" the traffic and then "encrypt" it and send it on it's way. But why would you want to? This sounds malicious.

I dont see what good changing data going to the browser is going to do unless you're trying to fool the suer.

Try playing around with fiddler for a bit.

Dustin Davis
  • 14,482
  • 13
  • 63
  • 119
  • Hmm.. but the proxy has to be created or specified by the server, right? Just wanna double confirm – murvinlai Aug 18 '11 at 23:27
  • no a proxy can be deployed any where it just sits between the client and server. – Dustin Davis Aug 19 '11 at 04:36
  • 1
    You can use a proxy tool like WebScarab, Burp, Paros or Charles. The simplest way is to run the proxy on the client. Configure the Browser to use the proxy. 2 TLS channels will be needed. The traffic from the browser to the proxy will use the certificate provided by the proxy. The traffic from the proxy to the server will use the certificate of the server. Configure the proxy to intercept responses. – Pierre Ernst Aug 19 '11 at 12:22