Join GitHub today
Add custom http headers #8948
With "domain fronting" becoming all the rage it was high time we added some kind of support to the Meterpreter payloads that would allow for these shenanigans to work in MSF. This PR is the first attempt at such a thing, while aiming to add support for other things including
The associated Payloads PR is here: rapid7/metasploit-payloads#236
Obviously the need to set generic headers is helpful. Unfortunately, opening this door to people can cause issues because not all headers can be set in the way that we'd expect, and this varies from API to API and platform to platform. The
As a result, I added support for three new settings which map directly to headers:
These can be handled on a per-implementation basis and put in the correct spots. If we feel the need to add more over time, then we can.
To support domain fronting, we really only needed to give control over the
Off you go. From here the requests should include the custom Host header. If you're using the likes of Amazon with Cloudfront, then things should just work as you'd expect.
I've PRed some fixes for Android/Java here:
Thanks @timwr I've merged both of the PRs. I do think that we need to look to reduce the duplication of code, but it's hard to know where best to apply it. Plus if we're going to do it here, we should look to do it in a number of other spots where duplication is rampant.
Does the HTTP Cookies option imply that the payload should implement full-fledged cookie tracking? Or that we should fill an actual cookie-jar with assorted cookies?
Reason why I ask is I can either just add the header, or do the real deal: https://curl.haxx.se/libcurl/c/CURLOPT_COOKIE.html and wondering which is better for this purpose.