caplets
caplets copied to clipboard
update hstshijack
This commit contains several changes to the hstshijack module:
- reduced a great deal of overhead by precompiling the regexp selectors in the HTTP proxy script that are repeatedly used by the onRequest and onResponse callbacks
- reduced overhead by changing
==
into===
and!=
into!==
to avoid unnecessary type conversions - module now decodes and spoofs hostnames found in query parameters
- module removes all CSP headers, not just the first instance
- module removes
Secure
andSameSite
parameters in cookies - Access-Control-Allow-Origin header value is set to a spoofed origin, unless it is set to
*
by the server (because credentials are not allowed when Access-Control-Allow-Origin is set to*
) - module also spoofs Access-Control-Allow-Credentials (always set to
true
) - module payloads are now wrapped in a strict context
- module ignores captive portal detection hostnames (such requests would sometimes trigger a captive portal notification)
- *added a
google-search.js
payload that bypasses Google's attempt to mitigate spoofed search results (works, is dirty, needs improvement) - keystrokes sent to the module that include a password field no longer trigger a whitelisting callback until I figure out why it whitelists all hosts for said client
- fixed automatic whitelisting of spoofed and unspoofed origins
- fixed
hstshijack.ssl.domains
command when domains.txt file contained 20 or more domains - added
hstshijack.whitelist
command to see which hosts are whitelisted for which clients - changed
hstshijack.ignore
logic, any domain set to that variable is now ignored regardless of whether they are targeted byhstshijack.targets
orhstshijack.payloads
- changed injection of HTML files, as webmasters clearly cannot be trusted to set the correct Content-Type (I've seen HTML served with
*/javascript
content types, even with a .js extension, and vice versa), it now searches for<
within the first 1000 bytes of files with a valid markup language extension
*The caplet is configured to attack Google, and a new payload is included as an example of how this module is intended to be used. It's not intended to be used by a skid to target *.com, it's intended to target specific sites for which you have prepared a payload. The truth is that JavaScript can always prevent these automated attacks, and the only way around a host's security is by injecting your own JavaScript that executes before theirs, and is tailored to their site.