Last active
August 29, 2015 14:05
-
-
Save chevcast/2969118335b2f969e74a to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| router.get('/google', function (req, res) { | |
| var url = 'http://www.google.com'; | |
| request(url, function (err, response, body) { | |
| res.send(body.replace(/(action|src|href)="((?!http)[^"]*)"/gi, function (match, g1, g2) { | |
| return g1 + '="' + url + g2 + '"'; | |
| })); | |
| }); | |
| }); |
Changing the URL to Facebook.com worked perfectly as well. It would be trivial to hook into the facebook login form and send the data back to my server before sending a user over to the real facebook.
Facebook does employ CSRF tokens so it rejects the authentication request from my server. However, I could simply override the form submit, save their info to my server, and redirect them to facebook.com fresh. The user would just think the login failed and try again and it would work just fine. They wouldn't be any wiser.
I faked the user-agent header as well and now the sites think my server-side requests come from Chrome.
router.get('*', function (req, res) {
var url = req.param('site');
request({
url: url,
headers: {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36'
}
}, function (err, response, body) {
res.send(body.replace(/(action|src|href)="((?!http)[^"]*)"/gi, function (match, g1, g2) {
return g1 + '="' + url + g2 + '"';
}));
});
});
Now you can pass any website as a query parameter.
(e.g. http://localhost:3000?site=http://twitter.com)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
That's how easy it was to proxy Google so the page was served up through my little node server. If I were a malicious hacker I could simply append a
<script>tag to the page before shunting it to the browser and that tag could point to my own script. From there I could hook into the page however I wanted.From the server I make a request to google.com. Then I run the response through a regular expression
/(action|src|href)="((?!http)[^"]*)"/giwhich searches for allsrc="someurl",href="someurl", andaction="someurl". Ifsomeurldoesn't start withhttpthen it prependshttp://www.google.comto the front of it. That effectively resolves all the relative paths on the page. The page is fully functional like the real google.