I've decided to take away the HTML5 offline cache storage functionality and port it to Linux. The result is presented here as Squid-imposter. Now you can easily spoof websites that will be stored in victim's browser cache forever.
IntroductionSquid-imposter makes it easy to create Squid-based proxy injecting your own content to chosen website URLs. Modified content is then persisted in client's browser even when the client no longer connects through your proxy thanks to HTML5 Offline cache features. Additionally, standard HTTP cache headers set the page to cache for 10 years. Injected content may for example be used to form a phishing attack during penetration test.
What can it do?It's a MITM/sidejacking attack technique - we're not exploiting a vulnerability in any website, instead we pretend to be that website. The only protection is, of course, using HTTPS/VPN as Firesheep lately taught everyone.
The process is as follows:
- Choose a website URL you'd like to spoof (e.g. gmail login page)
- Prepare a modified version of the page (e.g with a submit button that also sends login/password to you)
- Look for any other URL on the domain that user won't be likely to visit (this will be the manifest URL). It might something tiny like a blank.gif file.
- Setup squid-imposter with payloads and URLs
- Convince a victim to connect to squid-imposter (e.g. hijack victim's proxy entries, make him connect to your rogue Wi-Fi)
- When victims enters the URL, squid returns the modified page and a manifest file that tells user to store the page in offline cache.*
- Two years later, the user is no longer connected to your proxy, but the modified page is still served by victim's browser.
- PHP 5.2
ArchitectureThe scheme used by squid-imposter to spoof a website is presented in a graphic below.
|Squid-imposter interaction diagram|