diff options
| author | phackt <phackt@users.noreply.github.com> | 2016-09-26 04:29:26 +0200 |
|---|---|---|
| committer | Maximilian Hils <git@maximilianhils.com> | 2016-09-25 19:29:26 -0700 |
| commit | 8021427ab919e5301d9cc0e5d6ef28f19dee048b (patch) | |
| tree | 384e9570552fe1db8a72cf0c6a263746a300f28b | |
| parent | afe6bf0309c19891455cc81b3856bd68b1031649 (diff) | |
| download | mitmproxy-8021427ab919e5301d9cc0e5d6ef28f19dee048b.tar.gz mitmproxy-8021427ab919e5301d9cc0e5d6ef28f19dee048b.tar.bz2 mitmproxy-8021427ab919e5301d9cc0e5d6ef28f19dee048b.zip | |
Fixes - #1555 sslstrip.py flow.response.headers (#1556)
* Fixes - #1555 sslstrip.py flow.response.headers
* #1557 - add enhancements in inline script sslstrip.py with upgrade-insecure-requests stripping
* #1557 - update to match python style guide
* #1555, #1556, update to a bytes pattern
| -rw-r--r-- | examples/sslstrip.py | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/examples/sslstrip.py b/examples/sslstrip.py index 0be1f020..41cce896 100644 --- a/examples/sslstrip.py +++ b/examples/sslstrip.py @@ -9,6 +9,9 @@ def request(flow): flow.request.headers.pop('If-Modified-Since', None) flow.request.headers.pop('Cache-Control', None) + # do not force https redirection + flow.request.headers.pop('Upgrade-Insecure-Requests', None) + # proxy connections to SSL-enabled hosts if flow.request.pretty_host in secure_hosts: flow.request.scheme = 'https' @@ -16,12 +19,16 @@ def request(flow): def response(flow): - flow.request.headers.pop('Strict-Transport-Security', None) - flow.request.headers.pop('Public-Key-Pins', None) + flow.response.headers.pop('Strict-Transport-Security', None) + flow.response.headers.pop('Public-Key-Pins', None) # strip links in response body flow.response.content = flow.response.content.replace('https://', 'http://') + # strip meta tag upgrade-insecure-requests in response body + csp_meta_tag_pattern = b'<meta.*http-equiv=["\']Content-Security-Policy[\'"].*upgrade-insecure-requests.*?>' + flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE) + # strip links in 'Location' header if flow.response.headers.get('Location', '').startswith('https://'): location = flow.response.headers['Location'] @@ -30,6 +37,11 @@ def response(flow): secure_hosts.add(hostname) flow.response.headers['Location'] = location.replace('https://', 'http://', 1) + # strip upgrade-insecure-requests in Content-Security-Policy header + if re.search('upgrade-insecure-requests', flow.response.headers.get('Content-Security-Policy', ''), flags=re.IGNORECASE): + csp = flow.response.headers['Content-Security-Policy'] + flow.response.headers['Content-Security-Policy'] = re.sub('upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE) + # strip secure flag from 'Set-Cookie' headers cookies = flow.response.headers.get_all('Set-Cookie') cookies = [re.sub(r';\s*secure\s*', '', s) for s in cookies] |