Grasscutters/mitmproxy
3
0
Fork 0
mirror of https://github.com/Grasscutters/mitmproxy.git synced 2024-11-26 10:16:27 +00:00
Code Issues Projects Releases Wiki Activity

Fixes - #1555 sslstrip.py flow.response.headers (#1556)

Browse Source 
* Fixes - #1555 sslstrip.py flow.response.headers

* #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping

* #1557 - update to match python style guide

* #1555, #1556, update to a bytes pattern
This commit is contained in:
phackt 2016-09-26 04:29:26 +02:00 committed by Maximilian Hils
parent afe6bf0309
commit 8021427ab9
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
examples/sslstrip.py
View File

@ -9,6 +9,9 @@ def request(flow):
flow.request.headers.pop('If-Modified-Since', None) flow.request.headers.pop('If-Modified-Since', None)
flow.request.headers.pop('Cache-Control', None) flow.request.headers.pop('Cache-Control', None)
# do not force https redirection
flow.request.headers.pop('Upgrade-Insecure-Requests', None)
# proxy connections to SSL-enabled hosts # proxy connections to SSL-enabled hosts
if flow.request.pretty_host in secure_hosts: if flow.request.pretty_host in secure_hosts:
flow.request.scheme = 'https' flow.request.scheme = 'https'
@ -16,12 +19,16 @@ def request(flow):
def response(flow): def response(flow):
flow.request.headers.pop('Strict-Transport-Security', None) flow.response.headers.pop('Strict-Transport-Security', None)
flow.request.headers.pop('Public-Key-Pins', None) flow.response.headers.pop('Public-Key-Pins', None)
# strip links in response body # strip links in response body
flow.response.content = flow.response.content.replace('https://', 'http://') flow.response.content = flow.response.content.replace('https://', 'http://')
# strip meta tag upgrade-insecure-requests in response body
csp_meta_tag_pattern = b'<meta.*http-equiv=["\']Content-Security-Policy[\'"].*upgrade-insecure-requests.*?>'
flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE)
# strip links in 'Location' header # strip links in 'Location' header
if flow.response.headers.get('Location', '').startswith('https://'): if flow.response.headers.get('Location', '').startswith('https://'):
location = flow.response.headers['Location'] location = flow.response.headers['Location']
@ -30,6 +37,11 @@ def response(flow):
secure_hosts.add(hostname) secure_hosts.add(hostname)
flow.response.headers['Location'] = location.replace('https://', 'http://', 1) flow.response.headers['Location'] = location.replace('https://', 'http://', 1)
# strip upgrade-insecure-requests in Content-Security-Policy header
if re.search('upgrade-insecure-requests', flow.response.headers.get('Content-Security-Policy', ''), flags=re.IGNORECASE):
csp = flow.response.headers['Content-Security-Policy']
flow.response.headers['Content-Security-Policy'] = re.sub('upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE)
# strip secure flag from 'Set-Cookie' headers # strip secure flag from 'Set-Cookie' headers
cookies = flow.response.headers.get_all('Set-Cookie') cookies = flow.response.headers.get_all('Set-Cookie')
cookies = [re.sub(r';\s*secure\s*', '', s) for s in cookies] cookies = [re.sub(r';\s*secure\s*', '', s) for s in cookies]