mandatoryprogrammer / CursedChrome

Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.
MIT License
1.46k stars 220 forks source link

Binary Request Body Gets Corrupted #29

Closed Matir closed 3 years ago

Matir commented 3 years ago

I'm sorry for such a vague bug, but I've been trying to narrow it down better for a while with little success.

Steps to reproduce:

  1. Go to a file upload page and upload a non-ascii file (i.e., an image is a good choice)
  2. Note that the file received on the server is changed (seems to always be larger) -- some servers will reject due to checking length

I traced things through the websocket protocol to the implant and things appear fine at the point it's inserted into the fetch request. My working theory is that the fetch api does not like the body being invalid unicode, but I don't know nearly enough about fetch to say that for sure.

Matir commented 3 years ago

Okay, this appears to be because of the fetch API coercing the string to a USVString, which results in invalid Unicode Codepoints being replaced by alternate encodings or by the replacement codepoint. In other words, pretending binary is unicode is blowing up. Instead, a Blob can be passed as the body, and that seems to not care what it is.

Sending a PR to try to handle this.