It's me, it's my blog...
Debian

Spoof HTTP Headers Using Squid Proxy Server

What are HTTP Headers?

HTTP headers are the core part of these HTTP requests and responses, and they carry information about the client browser, the requested page, the server and more.

Examples of HTTP Headers

What your browser sends to the server:

GET / HTTP/1.1 
Host: donjajo.com 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Cookie: __cfduid=dedb7c82f;
Connection: keep-alive

This interprets, my browser requests for the directory / on the host donjajo.com using the User-Agent of my browser and other provided data. Now the Server will reply:

HTTP/2.0 200 OK 
Date: Sat, 27 Aug 2016 19:23:57 GMT 
Content-Type: text/html; charset=UTF-8 
Expires: Wed, 11 Jan 1984 05:00:00 GMT 
Cache-Control: no-cache, must-revalidate, max-age=0 
Link: <https://donjajo.com/wp-json/>; rel="https://api.w.org/", <https://wp.me/50p14>; rel=shortlink 
Server: cloudflare-nginx 
CF-RAY: 2d91e696ff7c35b4-LHR 
Content-Encoding: gzip 
X-Firefox-Spdy: h2 

<!DOCTYPE html>
<html lang="en-US" xmlns:fb="http://ogp.me/ns/fb#" xmlns:addthis="http://www.addthis.com/help/api-spec"  prefix="og: http://ogp.me/ns#">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="pingback" href="https://donjajo.com/xmlrpc.php">
    <!--[if lt IE 9]><script src="https://donjajo.com/wp-content/themes/wpex-mesa/js/html5.js"></script><![endif]-->
    <link rel="profile" href="http://gmpg.org/xfn/11">
    <title>Don Jajo - It&#039;s me, it&#039;s my blog...</title>
        [...]

These headers determines what you get from the server as the browser requests, a developer can reference any of the headers sent from the client (browser) and can return something based on what is in the header.

Spoofing HTTP Headers

These headers can be spoofed too, they are couple of browser add-ons to do this. But in this post I will be showing you how to do this with Squid Proxy in Linux

Squid Proxy Server

Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance.

With these, Squid can manipulate most HTTP Requests and Response passed through it.

Installing Squid Proxy Server

If you don’t have it installed, install it using:

$ sudo apt install squid

Some distribution uses squid3

Configuring Squid Proxy Server

Firstly, we have to tell Squid Proxy to really serve as HTTP proxy server and accept requests from HTTP because by default this is disabled. We will have to edit the config file located at /etc/squid/squid.conf and find the line

# And finally deny all other access to this proxy
http_access deny all

Change it to

# And finally deny all other access to this proxy
http_access allow all

Then save and reload Squid with $ sudo systemctl restart squid

With what we are about to do – to spoof HTTP Headers is regarded as violating HTTP Rules, this is not enabled by default in most Linux Distribution. We have to tell Squid to neglect HTTP rules and violate it, to check if this option is enabled run this:

$ sudo squid -v | grep violations --color

Screenshot_20160827_210358If you see something similar to the above image, then it is enabled and can allow spoofing of HTTP Headers. Else if it returns nothing means it is not enabled and you need to rebuild the package to enable it.

Enabling an Option in Squid Proxy

If your output is similar to the above image, you can skip this step. Else you can proceed.

I made a post on how to Rebuild package in Debian/Ubuntu, from the post; after downloading source files and build dependencies, don’t rebuild yet. Edit in the Squid source files directory debian/rules like assuming the source files are in /tmp/squid3-3.5.19/ you are to edit the file /tmp/squid3-3.5.19/debian/rules. You should find something similar to this:

DEB_CONFIGURE_EXTRA_FLAGS := BUILDCXXFLAGS="$(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS)" \
--datadir=/usr/share/squid \
--sysconfdir=/etc/squid \
--libexecdir=/usr/lib/squid \
--mandir=/usr/share/man \
--enable-inline \
--disable-arch-native \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd,rock" \
--enable-removal-policies="lru,heap" \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-digest="file,LDAP" \
--enable-auth-negotiate="kerberos,wrapper" \
--enable-auth-ntlm="fake,smb_lm" \
--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,$
--enable-url-rewrite-helpers="fake" \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--disable-translation \
--with-swapdir=/var/spool/squid \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy 

These are list of options enabled by default, then all you have to do it goto the end and add yours, which will be --enable-http-violations making it look like

[...]--with-large-files \
--with-default-user=proxy \
--enable-http-violations

Save the file and go back to this post

Spoofing Request Headers

Now we have Squid built with --enable-http-violations enabled, lets go ahead and spoof request headers. Making sure Squid is working, we will run a command:

$ curl -I https://donjajo.com --proxy http://127.0.0.1:3128
HTTP/1.1 301 Moved Permanently
Date: Sat, 27 Aug 2016 20:42:50 GMT
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: __cfduid=dfdcd26b61d2d280e0e31732101196b051472330570; expires=Sun, 27-Aug-17 20:42:50 GMT; path=/; domain=.donjajo.com; HttpOnly
Location: https://donjajo.com/
ngpass_ngall: 1
Server: MyOwn/1.1
CF-RAY: 2d925a33480334dc-LHR
X-Cache: MISS from jajo-server
X-Cache-Lookup: MISS from jajo-server:3128
Via: 1.1 jajo-server (squid/3.5.19)
Connection: keep-alive

We could spot 1.1 jajo-server (squid/3.5.19) in the response, means our Squid is working! 🙂

Now we are going to spoof the sent request, lets change our User-Agent and Referer to something else. Edit the config file again /etc/squid/squid.conf and goto the last line and add these

#Block a header value from being sent to server
request_header_access User-Agent deny all
request_header_access Referer deny all

#Modify them
request_header_replace User-Agent NewUserAgent/1.1
request_header_replace Referer donjajo.com

request_header_access directive allows our blocks a value in HTTP sent request, we used it above to block
request_header_replace directive is use to replace blocked HTTP Header value, as we used it to replace User-Agent and Referer

Restart Squid and set your browser Proxy to 127.0.0.1:3128 and check your headers

Spoofing Response Header

As request headers can be spoofed, so is response headers. Using same method as above but with reply_header_access and reply_header_replace

We can replace the Server Signature sent from the server to something else by adding:

reply_header_access Server deny all
reply_header_replace Server MyOwn/1.1

Save and restart Squid, your response should be what you set.

Adding Header Parameter

As we can modify these headers, we can as well add our custom header. This is easily done by adding this line

#For Request
request_header_add Author Jajo

#For Response (This directive is not available in Squid 3.5.x)
reply_header_add CustomValue true

Save and don’t forget to restart Squid.

Summary

Wit this, we have gotten to know how to use Squid Proxy to spoof HTTP Headers. Squid has many features as its robust, this is just the tip of an iceberg from Squid.

 

10 Comments

  1. omar

    nice work man,very helpful>>THANKS 🙂

  2. omar

    hi,Don its me omar again 🙂 i want a help from you>cloudflare service is used by my ISP so that some websites are opened. my friend told me that we can access free internet by registering free account or website and upload php file to access free internet this trick called file include i think.i dont know how to do that have u any ideas as i like ur explanation way. waiting ur replay

  3. Xrobot

    SimpleServer does that outofthebox! though not as good.

  4. xrobot

    Is there anyway you know we could modify ‘HTTP Headers’. Cos I’ve seen that Glo Mobile NG sends the user’s MSISDN to websites that request X-msisdn headers! I am trying to do that in SimpleServer but not working yet. Visit whatismyproxy.com with a Glo line to see what I mean

  5. Xrobot

    it doesn’t happen with opera12 or praesto server. Wait let me check!

    • Don Jajo

      Because Opera and some other Mobile Phone browsers like UCWeb use proxy, their proxy. So it’s likely they’ve filtered the request headers

Leave a Reply

Your email address will not be published. Required fields are marked *