Bypassing Github's HSTS & CSP in firefox
First thing you'll need is a proxy. I'll use my Local VM with apache2 here. At the time there is no firefox plugins that could modify the response header. So this is the only way to do it. ( or just compile your own browser )
If you want to be able to push to github. You have 2 options:
- Create an alternative host that points to the original github
- From the proxy server, port forward to github. ( Recommend to create a network interface that handles this domain )
Generate a self-signed certificate with the following command:
There are 2 ways to do that:
1. Modify the host table
2. Use a custom DNS masquerade ( i.e., host a custom DNS )
For the sake of simplicity, let's just edit the host table instead.
Do the following steps:
-> Flush your DNS
-> Open firefox
-> Go to history Ctrl + h
-> Search github.com
-> Right click -> Forget about this site
-> Goto about:config, add this to the registry test.currentTimeOffsetSeconds: 11491200
-> Restart firefox
-> Visit github.com, add that cert you've just generated to exception
Done!
Because github has a very strict policy. I think I'll just bypass all of that because I could.
If you want to be able to push to github. You have 2 options:
- Create an alternative host that points to the original github
- From the proxy server, port forward to github. ( Recommend to create a network interface that handles this domain )
Step 1 - Configure your proxy
Apache2 Config
<VirtualHost _default_:443>
ServerName github.com
SSLEngine on
SSLCertificateFile /home/penguin/github-bypass/cert.pem
SSLCertificateKeyFile /home/penguin/github-bypass/key.pem
# These 3 lines removes the unwanted headers from github
Header unset Strict-Transport-Security
Header unset Content-Security-Policy
Header unset Public-Key-Pins
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
<Location />
ProxyPass https://github.com/ nocanon
# ProxyPreserveHost On
# ProxyPassReverseCookieDomain 10.0.0.208 %{HTTP_HOST}
# Require all denied
# Require ip 192.168.0.222
</Location>
</VirtualHost>Generate a self-signed certificate with the following command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -sha256 -nodesStep 2 - Faking the host
There are 2 ways to do that:
1. Modify the host table
2. Use a custom DNS masquerade ( i.e., host a custom DNS )
For the sake of simplicity, let's just edit the host table instead.
# host table config
github.com 192.168.0.139Do the following steps:
-> Flush your DNS
-> Open firefox
-> Go to history Ctrl + h
-> Search github.com
-> Right click -> Forget about this site
-> Goto about:config, add this to the registry test.currentTimeOffsetSeconds: 11491200
-> Restart firefox
-> Visit github.com, add that cert you've just generated to exception
Done!
Why'd I do this?
You must have your reason to do so right? For me it is that I have a plugin that injects a customized script & styles to every website I visit ( which is a set of tools I use regularly, such as VimArea ).Because github has a very strict policy. I think I'll just bypass all of that because I could.
Fri Mar 03 2017 02:20:42 GMT+0000 (Coordinated Universal Time)
Last modified: Fri Jan 26 2018 03:28:02 GMT+0000 (Coordinated Universal Time)
Comments
No comments here.
Do you even comment?
website:
Not a valid website
Invalid email format
Please enter your email
*Name:
Please enter a name
Submit
抱歉,Google Recaptcha 服務被牆掉了,所以不能回覆了