diff --git a/modules/http_proxy_base_filters.go b/modules/http_proxy_base_filters.go index c0557ea2..686e9773 100644 --- a/modules/http_proxy_base_filters.go +++ b/modules/http_proxy_base_filters.go @@ -11,9 +11,19 @@ import ( "github.com/elazarl/goproxy" ) +func (p *HTTPProxy) fixRequestHeaders(req *http.Request) { + req.Header.Del("Accept-Encoding") + req.Header.Del("If-None-Match") + req.Header.Del("If-Modified-Since") + req.Header.Del("Upgrade-Insecure-Requests") + req.Header.Set("Pragma", "no-cache") +} + func (p *HTTPProxy) onRequestFilter(req *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) { log.Debug("(%s) < %s %s %s%s", core.Green(p.Name), req.RemoteAddr, req.Method, req.Host, req.URL.Path) + p.fixRequestHeaders(req) + redir := p.stripper.Preprocess(req, ctx) if redir != nil { // we need to redirect the user in order to make @@ -41,6 +51,25 @@ func (p *HTTPProxy) onRequestFilter(req *http.Request, ctx *goproxy.ProxyCtx) (* return req, nil } +func (p *HTTPProxy) fixResponseHeaders(res *http.Response) { + res.Header.Del("Content-Security-Policy-Report-Only") + res.Header.Del("Content-Security-Policy") + res.Header.Del("Strict-Transport-Security") + res.Header.Del("Public-Key-Pins") + res.Header.Del("Public-Key-Pins-Report-Only") + res.Header.Del("X-Frame-Options") + res.Header.Del("X-Content-Type-Options") + res.Header.Del("X-WebKit-CSP") + res.Header.Del("X-Content-Security-Policy") + res.Header.Del("X-Download-Options") + res.Header.Del("X-Permitted-Cross-Domain-Policies") + res.Header.Del("X-Xss-Protection") + res.Header.Set("Allow-Access-From-Same-Origin", "*") + res.Header.Set("Access-Control-Allow-Origin", "*") + res.Header.Set("Access-Control-Allow-Methods", "*") + res.Header.Set("Access-Control-Allow-Headers", "*") +} + func (p *HTTPProxy) getHeader(res *http.Response, header string) string { header = strings.ToLower(header) for name, values := range res.Header { @@ -69,11 +98,12 @@ func (p *HTTPProxy) doScriptInjection(res *http.Response, cType string) (error, if err != nil { return err, nil } else if html := string(raw); strings.Contains(html, "") { - log.Info("(%s) > injecting javascript (%d bytes) into %s for %s", + log.Info("(%s) > injecting javascript (%d bytes) into %s (%d bytes) for %s", core.Green(p.Name), len(p.jsHook), core.Yellow(res.Request.Host+res.Request.URL.Path), - core.Bold(res.Request.RemoteAddr)) + len(raw), + core.Bold(strings.Split(res.Request.RemoteAddr, ":")[0])) html = strings.Replace(html, "", p.jsHook, -1) newResp := goproxy.NewResponse(res.Request, cType, res.StatusCode, html) @@ -97,6 +127,8 @@ func (p *HTTPProxy) onResponseFilter(res *http.Response, ctx *goproxy.ProxyCtx) log.Debug("(%s) > %s %s %s%s", core.Green(p.Name), res.Request.RemoteAddr, res.Request.Method, res.Request.Host, res.Request.URL.Path) + p.fixResponseHeaders(res) + p.stripper.Process(res, ctx) // do we have a proxy script? diff --git a/modules/http_proxy_base_sslstriper.go b/modules/http_proxy_base_sslstriper.go index 5d2142ae..9bc79004 100644 --- a/modules/http_proxy_base_sslstriper.go +++ b/modules/http_proxy_base_sslstriper.go @@ -192,35 +192,6 @@ func (s *SSLStripper) Enable(enabled bool) { } } -func (s *SSLStripper) stripRequestHeaders(req *http.Request) { - req.Header.Del("Accept-Encoding") - req.Header.Del("If-None-Match") - req.Header.Del("If-Modified-Since") - req.Header.Del("Upgrade-Insecure-Requests") - - req.Header.Set("Pragma", "no-cache") -} - -func (s *SSLStripper) stripResponseHeaders(res *http.Response) { - res.Header.Del("Content-Security-Policy-Report-Only") - res.Header.Del("Content-Security-Policy") - res.Header.Del("Strict-Transport-Security") - res.Header.Del("Public-Key-Pins") - res.Header.Del("Public-Key-Pins-Report-Only") - res.Header.Del("X-Frame-Options") - res.Header.Del("X-Content-Type-Options") - res.Header.Del("X-WebKit-CSP") - res.Header.Del("X-Content-Security-Policy") - res.Header.Del("X-Download-Options") - res.Header.Del("X-Permitted-Cross-Domain-Policies") - res.Header.Del("X-Xss-Protection") - - res.Header.Set("Allow-Access-From-Same-Origin", "*") - res.Header.Set("Access-Control-Allow-Origin", "*") - res.Header.Set("Access-Control-Allow-Methods", "*") - res.Header.Set("Access-Control-Allow-Headers", "*") -} - func (s *SSLStripper) isContentStrippable(res *http.Response) bool { for name, values := range res.Header { for _, value := range values { @@ -258,7 +229,6 @@ func (s *SSLStripper) processURL(url string) string { // sslstrip preprocessing, takes care of: // -// - patching / removing security related headers // - handling stripped domains // - making unknown session cookies expire func (s *SSLStripper) Preprocess(req *http.Request, ctx *goproxy.ProxyCtx) (redir *http.Response) { @@ -266,9 +236,6 @@ func (s *SSLStripper) Preprocess(req *http.Request, ctx *goproxy.ProxyCtx) (redi return } - // preprocess request headers - s.stripRequestHeaders(req) - // well ... if req.URL.Scheme == "https" { // TODO: check for max redirects? @@ -349,9 +316,6 @@ func (s *SSLStripper) Process(res *http.Response, ctx *goproxy.ProxyCtx) { } } - // process response headers - s.stripResponseHeaders(res) - // if we have a text or html content type, fetch the body // and perform sslstripping if s.isContentStrippable(res) {