github/bettercap
1
0
Fork 0
mirror of https://github.com/bettercap/bettercap synced 2025-08-14 02:36:57 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: fixing CORS headers only if sslstrip is enabled (fixes #543)

Browse source
This commit is contained in:
evilsocket 2019-04-18 12:44:50 +02:00
commit 5f973629d3
No known key found for this signature in database
GPG key ID: 1564D7F30393A456
3 changed files with 23 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

21
modules/http_proxy/http_proxy_base_filters.go
View file

@ -52,25 +52,6 @@ func (p *HTTPProxy) onRequestFilter(req *http.Request, ctx *goproxy.ProxyCtx) (*
return req, nil
}
func (p *HTTPProxy) fixResponseHeaders(res *http.Response) {
res.Header.Del("Content-Security-Policy-Report-Only")
res.Header.Del("Content-Security-Policy")
res.Header.Del("Strict-Transport-Security")
res.Header.Del("Public-Key-Pins")
res.Header.Del("Public-Key-Pins-Report-Only")
res.Header.Del("X-Frame-Options")
res.Header.Del("X-Content-Type-Options")
res.Header.Del("X-WebKit-CSP")
res.Header.Del("X-Content-Security-Policy")
res.Header.Del("X-Download-Options")
res.Header.Del("X-Permitted-Cross-Domain-Policies")
res.Header.Del("X-Xss-Protection")
res.Header.Set("Allow-Access-From-Same-Origin", "*")
res.Header.Set("Access-Control-Allow-Origin", "*")
res.Header.Set("Access-Control-Allow-Methods", "*")
res.Header.Set("Access-Control-Allow-Headers", "*")
}
func (p *HTTPProxy) getHeader(res *http.Response, header string) string {
header = strings.ToLower(header)
for name, values := range res.Header {
@ -128,8 +109,6 @@ func (p *HTTPProxy) onResponseFilter(res *http.Response, ctx *goproxy.ProxyCtx)
if p.shouldProxy(res.Request) {
p.Debug("> %s %s %s%s", res.Request.RemoteAddr, res.Request.Method, res.Request.Host, res.Request.URL.Path)
p.fixResponseHeaders(res)
p.stripper.Process(res, ctx)
// do we have a proxy script?

21
modules/http_proxy/http_proxy_base_sslstriper.go
View file

@ -283,11 +283,32 @@ func (s *SSLStripper) isMaxRedirs(hostname string) bool {
return false
}
func (s *SSLStripper) fixResponseHeaders(res *http.Response) {
res.Header.Del("Content-Security-Policy-Report-Only")
res.Header.Del("Content-Security-Policy")
res.Header.Del("Strict-Transport-Security")
res.Header.Del("Public-Key-Pins")
res.Header.Del("Public-Key-Pins-Report-Only")
res.Header.Del("X-Frame-Options")
res.Header.Del("X-Content-Type-Options")
res.Header.Del("X-WebKit-CSP")
res.Header.Del("X-Content-Security-Policy")
res.Header.Del("X-Download-Options")
res.Header.Del("X-Permitted-Cross-Domain-Policies")
res.Header.Del("X-Xss-Protection")
res.Header.Set("Allow-Access-From-Same-Origin", "*")
res.Header.Set("Access-Control-Allow-Origin", "*")
res.Header.Set("Access-Control-Allow-Methods", "*")
res.Header.Set("Access-Control-Allow-Headers", "*")
}
func (s *SSLStripper) Process(res *http.Response, ctx *goproxy.ProxyCtx) {
if !s.enabled {
return
}
s.fixResponseHeaders(res)
// is the server redirecting us?
if res.StatusCode != 200 {
// extract Location header