fix: fixing request and response headers and downgrading security even if sslstrip is disabled

modules/http_proxy_base_filters.go

@@ -11,9 +11,19 @@ import (
 	"github.com/elazarl/goproxy"
 )
 
+func (p *HTTPProxy) fixRequestHeaders(req *http.Request) {
+	req.Header.Del("Accept-Encoding")
+	req.Header.Del("If-None-Match")
+	req.Header.Del("If-Modified-Since")
+	req.Header.Del("Upgrade-Insecure-Requests")
+	req.Header.Set("Pragma", "no-cache")
+}
+
 func (p *HTTPProxy) onRequestFilter(req *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
 	log.Debug("(%s) < %s %s %s%s", core.Green(p.Name), req.RemoteAddr, req.Method, req.Host, req.URL.Path)
 
+	p.fixRequestHeaders(req)
+
 	redir := p.stripper.Preprocess(req, ctx)
 	if redir != nil {
 		// we need to redirect the user in order to make
@@ -41,6 +51,25 @@ func (p *HTTPProxy) onRequestFilter(req *http.Request, ctx *goproxy.ProxyCtx) (*
 	return req, nil
 }
 
+func (p *HTTPProxy) fixResponseHeaders(res *http.Response) {
+	res.Header.Del("Content-Security-Policy-Report-Only")
+	res.Header.Del("Content-Security-Policy")
+	res.Header.Del("Strict-Transport-Security")
+	res.Header.Del("Public-Key-Pins")
+	res.Header.Del("Public-Key-Pins-Report-Only")
+	res.Header.Del("X-Frame-Options")
+	res.Header.Del("X-Content-Type-Options")
+	res.Header.Del("X-WebKit-CSP")
+	res.Header.Del("X-Content-Security-Policy")
+	res.Header.Del("X-Download-Options")
+	res.Header.Del("X-Permitted-Cross-Domain-Policies")
+	res.Header.Del("X-Xss-Protection")
+	res.Header.Set("Allow-Access-From-Same-Origin", "*")
+	res.Header.Set("Access-Control-Allow-Origin", "*")
+	res.Header.Set("Access-Control-Allow-Methods", "*")
+	res.Header.Set("Access-Control-Allow-Headers", "*")
+}
+
 func (p *HTTPProxy) getHeader(res *http.Response, header string) string {
 	header = strings.ToLower(header)
 	for name, values := range res.Header {
@@ -69,11 +98,12 @@ func (p *HTTPProxy) doScriptInjection(res *http.Response, cType string) (error,
 	if err != nil {
 		return err, nil
 	} else if html := string(raw); strings.Contains(html, "</head>") {
-		log.Info("(%s) > injecting javascript (%d bytes) into %s for %s",
+		log.Info("(%s) > injecting javascript (%d bytes) into %s (%d bytes) for %s",
 			core.Green(p.Name),
 			len(p.jsHook),
 			core.Yellow(res.Request.Host+res.Request.URL.Path),
-			core.Bold(res.Request.RemoteAddr))
+			len(raw),
+			core.Bold(strings.Split(res.Request.RemoteAddr, ":")[0]))
 
 		html = strings.Replace(html, "</head>", p.jsHook, -1)
 		newResp := goproxy.NewResponse(res.Request, cType, res.StatusCode, html)
@@ -97,6 +127,8 @@ func (p *HTTPProxy) onResponseFilter(res *http.Response, ctx *goproxy.ProxyCtx)
 
 	log.Debug("(%s) > %s %s %s%s", core.Green(p.Name), res.Request.RemoteAddr, res.Request.Method, res.Request.Host, res.Request.URL.Path)
 
+	p.fixResponseHeaders(res)
+
 	p.stripper.Process(res, ctx)
 
 	// do we have a proxy script?

modules/http_proxy_base_sslstriper.go

@@ -192,35 +192,6 @@ func (s *SSLStripper) Enable(enabled bool) {
 	}
 }
 
-func (s *SSLStripper) stripRequestHeaders(req *http.Request) {
-	req.Header.Del("Accept-Encoding")
-	req.Header.Del("If-None-Match")
-	req.Header.Del("If-Modified-Since")
-	req.Header.Del("Upgrade-Insecure-Requests")
-
-	req.Header.Set("Pragma", "no-cache")
-}
-
-func (s *SSLStripper) stripResponseHeaders(res *http.Response) {
-	res.Header.Del("Content-Security-Policy-Report-Only")
-	res.Header.Del("Content-Security-Policy")
-	res.Header.Del("Strict-Transport-Security")
-	res.Header.Del("Public-Key-Pins")
-	res.Header.Del("Public-Key-Pins-Report-Only")
-	res.Header.Del("X-Frame-Options")
-	res.Header.Del("X-Content-Type-Options")
-	res.Header.Del("X-WebKit-CSP")
-	res.Header.Del("X-Content-Security-Policy")
-	res.Header.Del("X-Download-Options")
-	res.Header.Del("X-Permitted-Cross-Domain-Policies")
-	res.Header.Del("X-Xss-Protection")
-
-	res.Header.Set("Allow-Access-From-Same-Origin", "*")
-	res.Header.Set("Access-Control-Allow-Origin", "*")
-	res.Header.Set("Access-Control-Allow-Methods", "*")
-	res.Header.Set("Access-Control-Allow-Headers", "*")
-}
-
 func (s *SSLStripper) isContentStrippable(res *http.Response) bool {
 	for name, values := range res.Header {
 		for _, value := range values {
@@ -258,7 +229,6 @@ func (s *SSLStripper) processURL(url string) string {
 
 // sslstrip preprocessing, takes care of:
 //
-// - patching / removing security related headers
 // - handling stripped domains
 // - making unknown session cookies expire
 func (s *SSLStripper) Preprocess(req *http.Request, ctx *goproxy.ProxyCtx) (redir *http.Response) {
@@ -266,9 +236,6 @@ func (s *SSLStripper) Preprocess(req *http.Request, ctx *goproxy.ProxyCtx) (redi
 		return
 	}
 
-	// preprocess request headers
-	s.stripRequestHeaders(req)
-
 	// well ...
 	if req.URL.Scheme == "https" {
 		// TODO: check for max redirects?
@@ -349,9 +316,6 @@ func (s *SSLStripper) Process(res *http.Response, ctx *goproxy.ProxyCtx) {
 		}
 	}
 
-	// process response headers
-	s.stripResponseHeaders(res)
-
 	// if we have a text or html content type, fetch the body
 	// and perform sslstripping
 	if s.isContentStrippable(res) {