Continuing to look through Vault7, we can find Bee Sting. A simple idea, we have a proxy that traffic goes to and fro through and, on certain websites, instead of legitimate responses being returned we send back a modified response which has "reconstructed the IP header and calculated the new checksum, reconstructed the TCP header with the new payload size and calculated the checksum and modified the HTTP protocol content-Length to correlate with the new payload size." This should be invisible to the end user and accomplishes our goal of stealing credentials, sending to a fake download site, or another alternative goal.
Lets start by breaking down how very simple web requests typically work. Once you get done negotiating the encryption details, your web browser sends a GET request for the websites root directory, typically represented by /index.html.
The website responds, if everything has been negotiated correctly, with the website details. We've got a status code "HTTP/2 200 OK" and some additional headers like the content-length.
Here is where we can inject our payload. This type of attack is known as a Cross-Frame Scripting attack. OWASP has a great cheat sheet on this which you can find in this link. Well be using their example HTML to construct our example attack. Back on Burp, let's try browsing to culbertreport.com again, but this time let's inject an iFrame.
We've now got our iFrame added, only changing the example.com address to Google.com. And what does the client get in return? Nothing.
Google refused to allow us to add them in an iFrame. What can we do here to get around this? Google uses a header feature called X-Frame-Options: SAMEORIGIN which prevents us from embedding their site in an iFrame. If you're curious, you can read more about them here.
So let's remove that. Viola! Once we removed that annoying header, we were able to embed their website in an iFrame overlaying our own site.
This will append our OVERLAY_JS to the end of any webpage that's loaded. Now, if we start mitmproxy with the -s flag, pass proxy.py to it, and route our browser through it, we'll see our new alert.
<script>document.cookie = "username=Null Byte";</script>
Then we'll just use Pythons simple http.server module on the receiving host to print out the cookie. Now when we browse to the site again, our cookie gets stolen.