caplets icon indicating copy to clipboard operation
caplets copied to clipboard

Published 20 hours ago verified publisher icon bettercap

update hstshijack

Open buffermet opened this issue 1 year ago • 0 comments

This commit contains several changes to the hstshijack module:

  • reduced a great deal of overhead by precompiling the regexp selectors in the HTTP proxy script that are repeatedly used by the onRequest and onResponse callbacks
  • reduced overhead by changing == into === and != into !== to avoid unnecessary type conversions
  • module now decodes and spoofs hostnames found in query parameters
  • module removes all CSP headers, not just the first instance
  • module removes Secure and SameSite parameters in cookies
  • Access-Control-Allow-Origin header value is set to a spoofed origin, unless it is set to * by the server (because credentials are not allowed when Access-Control-Allow-Origin is set to *)
  • module also spoofs Access-Control-Allow-Credentials (always set to true)
  • module payloads are now wrapped in a strict context
  • module ignores captive portal detection hostnames (such requests would sometimes trigger a captive portal notification)
  • *added a google-search.js payload that bypasses Google's attempt to mitigate spoofed search results (works, is dirty, needs improvement)
  • keystrokes sent to the module that include a password field no longer trigger a whitelisting callback until I figure out why it whitelists all hosts for said client
  • fixed automatic whitelisting of spoofed and unspoofed origins
  • fixed hstshijack.ssl.domains command when domains.txt file contained 20 or more domains
  • added hstshijack.whitelist command to see which hosts are whitelisted for which clients
  • changed hstshijack.ignore logic, any domain set to that variable is now ignored regardless of whether they are targeted by hstshijack.targets or hstshijack.payloads
  • changed injection of HTML files, as webmasters clearly cannot be trusted to set the correct Content-Type (I've seen HTML served with */javascript content types, even with a .js extension, and vice versa), it now searches for < within the first 1000 bytes of files with a valid markup language extension

*The caplet is configured to attack Google, and a new payload is included as an example of how this module is intended to be used. It's not intended to be used by a skid to target *.com, it's intended to target specific sites for which you have prepared a payload. The truth is that JavaScript can always prevent these automated attacks, and the only way around a host's security is by injecting your own JavaScript that executes before theirs, and is tailored to their site.

buffermet avatar Jul 29 '22 06:07 buffermet