0

I use bettercap2 http proxy and arp spoof to inject one-line js alert into http pages. It works fine, however what about https? I couldn’t find any working method to inject it without the browser’s self-signed warning.

HTTPS allows to import https source scripts only, so I tried apache2 + ngrok for green lock server with my script and it works, but I can’t understand how to dynamically add this script when users connect to sites on a LAN.

Is it possible to inject js into https sites with bettercap https proxy or maybe there is another method?

schroeder
  • 125,553
  • 55
  • 289
  • 326

1 Answers1

0

I couldn’t find any working method to inject it without the browser’s self-signed warning. ... Is it possible to inject js into https sites with bettercap https proxy or maybe there is another method?

You are basically asking if there is a way to modify the transferred data inside a HTTPS connection, without the user getting a warning. What you describe as your goal is exactly the thing the TLS layer inside HTTPS is intended to prevent: sniffing and/or modification of the traffic by a man in the middle attacker.

You would either need to break the encryption (practically impossible) or you would need to convince the client, that it is communicating directly with the expected server even if the client is communicating with the attacker. The latter is prevented by authenticating the server, i.e. making sure that the certificate provided by the server is the expected one and that the matching private key is owned by the server - see also How does SSL/TLS work? and SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.

Thus, in order to be an undetected (i.e. no warning) man in the middle one would need to convince the client to trust the attackers certificate. By design this should be impossible, but there are flaws which might make it possible in some cases. For example an attacker could compromise the original server and steal the certificates private key. Or an attacker could comprome the client and install a trusted CA. Or in some cases there might even be a CA already on the clients system where the private key is leaked - as happened in the case of Superfish or certificates from Dell.

For more see also It's there a way to bypass https nowadays?.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434