Why?
You want to bypass client-side constraints in a JavaScript app you're hacking.
When?
Easiest to do when <script integrity>
(Subresource Integrity) is not in use.
How?
mitmdump -s myscript.py
myscript.py:
from mitmproxy import http
def response(flow: http.HTTPFlow) -> None:
if flow.response and flow.response.content:
flow.response.content = flow.response.content.replace(
UNHACKED_FRAGMENT,
HACKED_FRAGMENT
)
Gotchas
One mistake you can make it trying to replace the fragments of code you see in your browser debugger. That won't necessarily correspond 1-1 (e.g. in the case of unobfuscated code). That's why the examples here don't match against variable names or internal function names.
Examples
Disabling logic guards
unhacked.js:
if (!email.endswith('@trusted.com')) {
return;
}
hacked.js:
if (!email.includes('@')) {
return;
}
script.py:
flow.response.content = flow.response.content.replace(
b'endsWith("@trusted.com")',
b'includes("@")'
)
Adding allowed file extensions for upload
unhacked.js:
const allowed = ['png', 'jpg'];
hacked.js:
const allowed = ['png', 'exe', 'jpg'];
script.py:
flow.response.content = flow.response.content.replace(
b"'png',",
b"'png','exe',"
)
Art licensed under Creative Commons by OpenClipart-Vectors
Top comments (0)