GreatFire’s website-mirror-by-proxy is a server-side web proxy designed to host one or multiple dynamic mirror versions of any website.
Conducted by Cure53, this penetration test and code audit against the GreatFire censorship circumvention tool.
The penetration test was carried out by two testers from the Cure53 team. The test lasted four days and resulted in the identification of four security vulnerabilities and five general weaknesses. Among all those issues discovered, none were classified as ‘Critical’ in severity. Importantly, however, three problems were ranked ‘High’ in regards to their significance and possible impact.
The test was targeted against both the open and freely available sources of the proxy tool, and the several available instances of the tool itself. In addition, a customized debug version was run on a shared cloud VM to test and reproduce the more intrusive attacks.
The full audit and summary of findings can be found below.