{"id":13827232,"url":"https://github.com/thusoy/postgres-mitm","last_synced_at":"2025-12-27T10:29:07.578Z","repository":{"id":145445868,"uuid":"60016223","full_name":"thusoy/postgres-mitm","owner":"thusoy","description":"Test whether your Postgres connections are vulnerable to MitM attacks","archived":false,"fork":false,"pushed_at":"2023-12-19T13:58:42.000Z","size":32,"stargazers_count":56,"open_issues_count":3,"forks_count":27,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-08-04T09:06:31.855Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thusoy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2016-05-30T14:28:19.000Z","updated_at":"2023-10-17T23:11:51.000Z","dependencies_parsed_at":"2024-04-24T08:59:54.347Z","dependency_job_id":"4dd1ff1b-3b45-4222-bbc5-8828e16181d5","html_url":"https://github.com/thusoy/postgres-mitm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thusoy%2Fpostgres-mitm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thusoy%2Fpostgres-mitm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thusoy%2Fpostgres-mitm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thusoy%2Fpostgres-mitm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thusoy","download_url":"https://codeload.github.com/thusoy/postgres-mitm/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225481349,"owners_count":17481172,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T09:01:52.434Z","updated_at":"2025-12-27T10:29:02.515Z","avatar_url":"https://github.com/thusoy.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"42f9e068b6511bcbb47d6b2b273097da\"\u003e\u003c/a\u003e未分类"],"sub_categories":["\u003ca id=\"3bd67ee9f322e2c85854991c85ed6da0\"\u003e\u003c/a\u003e投毒\u0026\u0026Poisoning"],"readme":"# postgres-mitm\n\nTest whether your Postgres connections are vulnerable to MitM attacks.\n\n\n## Steps to test your exposure\n\n* Run the script with the IP of the database you want to impersonate:\n  `postgres_mitm.py \u003cIP of actual database\u003e`\n* Replace your database hostname with the IP of the machine running the script\n* See if your app works.\n\nIf your app successfully connects to the database, it didn't validate certficates and accepted whatever was presented. The credentials for the database will be printed by the script. If you're seeing connection errors that's good, and means you're probably not vulnerable.\n\n\n### Heroku\n\nSince changing the database hostname used by Heroku is hard, to test your connection against the database find it's IP (just extract it from the hostname), and start the script with that, then locally point the DNS of the database host to 127.0.0.1:\n\n```\n# Terminal 1\n$ echo \"127.0.0.1 $(heroku config:get DATABASE_URL | grep -o ec2-[^:]*)\" | sudo tee -a /etc/hosts\n127.0.0.1 ec2-54-163-238-215.compute-1.amazonaws.com\n$ heroku pg:psql\n---\u003e Connecting to DATABASE_URL\npsql (9.4.5)\nSSL connection (protocol: TLSv1.2, cipher: ECDHE-ECDSA-AES256-GCM-SHA384, bits: 256, compression: on)\nType \"help\" for help.\n\nmega-mitm::DATABASE=\u003e select user;\n  current_user\n----------------\n fxutzshsavlfyj\n(1 row)\n\nmega-mitm::DATABASE=\u003e\n\n# Terminal 2\n$ ./postgres_mitm.py 54.163.238.215\n2016-06-06 10:28:47,634 [INFO] Listening for connections\n2016-06-06 10:28:56,383 [INFO] Intercepted auth: postgres://fxutzshsavlfyj:Yp1DA\u003c..\u003eeJfAtu@54.163.238.215:5432/d4ajdorhb758hq\n```\n\nYou could pin the database certificate, but note that this will break your app once it's moved to a different host for maintenance by Heroku. Not much we can do about that until they sign their certificates with their own CA.\n\n```\n# Terminal 1 again, pin the certificate\n$ ./postgres_get_server_cert.py 54.163.238.215 \u003e ~/.postgresql/root.crt\n$ heroku pg:psql\n---\u003e Connecting to DATABASE_URL\npsql: SSL error: certificate verify failed\n# Good, MitM now fails, remove line we added to /etc/hosts and try again\n# against actual database\n$ heroku pg:psql\n--\u003e Connecting to DATABASE_URL\npsql (9.4.5)\nSSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)\nType \"help\" for help.\n\nmega-mitm::DATABASE=\u003e\n# Winning\n```\n\n## If you're vulnerable\n\nIf you only have one database you can add its certificate to your trust store to prevent attacks like this one. The default trust store is `~/.postgresql/root.crt`, but you can customize this with the connection parameter `sslrootcert`.\n\nIf you're connecting to a database pool or are hosting many databases you should probably create your own Certificate Authority (CA) that can sign certificates for each database. Then the clients only need to trust the CA certificate and will have a secure connection to any of the databases signed by the CA.\n\nAs always, consult the [excellent documentation](https://www.postgresql.org/docs/9.0/static/libpq-ssl.html) for details.\n\n\nLicense\n-------\n\nThis project uses the [Hippocratic License](https://firstdonoharm.dev/), and is thus freely\navailable to use for purposes that do not infringe on the United Nations Universal Declaration of\nHuman Rights.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthusoy%2Fpostgres-mitm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthusoy%2Fpostgres-mitm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthusoy%2Fpostgres-mitm/lists"}