Firefly is a proxy software able to circumvent the Great Firewall in China.
This report documents the penetration test and code audit commissioned by Firefly and carried out by security experts from the Cure53 team. The assignment took place over a period of eight days in early February 2016 and involved five Cure53 testers. As a result of the penetration test as many as 23 security issues discussed below were discovered.
The specific testing methodology agreed upon by Firefly and Cure53 entailed following white-box methodology, meaning that a test server was from the very beginning provided by the maintainers of the Firefly software. The scope of tests covered browser extensions, proxy scripts, server-side code, as well as the server itself. In order to ensure a dynamic rapport and reporting, all issues have been reported “live” upon discovery.
