Modifying a site's JavaScript with mitmproxy

fx2301

fx2301

Posted on January 14, 2022

Modifying a site's JavaScript with mitmproxy

Why?

You want to bypass client-side constraints in a JavaScript app you're hacking.

When?

Easiest to do when <script integrity> (Subresource Integrity) is not in use.

How?

mitmdump -s myscript.py
Enter fullscreen mode Exit fullscreen mode

myscript.py:

from mitmproxy import http

def response(flow: http.HTTPFlow) -> None:
  if flow.response and flow.response.content:
    flow.response.content = flow.response.content.replace(
      UNHACKED_FRAGMENT,
      HACKED_FRAGMENT
    )
Enter fullscreen mode Exit fullscreen mode

Gotchas

One mistake you can make it trying to replace the fragments of code you see in your browser debugger. That won't necessarily correspond 1-1 (e.g. in the case of unobfuscated code). That's why the examples here don't match against variable names or internal function names.

Examples

Disabling logic guards

unhacked.js:

if (!email.endswith('@trusted.com')) {
  return;
}
Enter fullscreen mode Exit fullscreen mode

hacked.js:

if (!email.includes('@')) {
  return;
}
Enter fullscreen mode Exit fullscreen mode

script.py:

flow.response.content = flow.response.content.replace(
  b'endsWith("@trusted.com")',
  b'includes("@")'
)
Enter fullscreen mode Exit fullscreen mode

Adding allowed file extensions for upload

unhacked.js:

const allowed = ['png', 'jpg'];
Enter fullscreen mode Exit fullscreen mode

hacked.js:

const allowed = ['png', 'exe', 'jpg'];
Enter fullscreen mode Exit fullscreen mode

script.py:

flow.response.content = flow.response.content.replace(
  b"'png',",
  b"'png','exe',"
)
Enter fullscreen mode Exit fullscreen mode

Art licensed under Creative Commons by OpenClipart-Vectors

💖 💪 🙅 🚩
fx2301
fx2301

Posted on January 14, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related