{"id":17473717,"url":"https://github.com/esonhugh/proxyinbrowser","last_synced_at":"2025-04-16T16:31:40.948Z","repository":{"id":258078220,"uuid":"871457044","full_name":"Esonhugh/ProxyInBrowser","owner":"Esonhugh","description":"Open Source XSS exploitation tool. using http proxy to access the browser which executed this project. [Engineering Experimental]","archived":false,"fork":false,"pushed_at":"2024-10-16T02:36:00.000Z","size":84,"stargazers_count":8,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-10-18T20:45:44.888Z","etag":null,"topics":["browser","cors-proxy","golang","hacktool","http-proxy","mitm","mitmproxy","proxy-server","tools","typescript","xss","xss-exploitation"],"latest_commit_sha":null,"homepage":"https://youtu.be/oJyczopfzrc","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Esonhugh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-12T02:54:36.000Z","updated_at":"2024-10-17T02:18:21.000Z","dependencies_parsed_at":"2024-10-18T04:47:25.315Z","dependency_job_id":null,"html_url":"https://github.com/Esonhugh/ProxyInBrowser","commit_stats":null,"previous_names":["esonhugh/proxyinbrowser"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Esonhugh%2FProxyInBrowser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Esonhugh%2FProxyInBrowser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Esonhugh%2FProxyInBrowser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Esonhugh%2FProxyInBrowser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Esonhugh","download_url":"https://codeload.github.com/Esonhugh/ProxyInBrowser/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249259146,"owners_count":21239422,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["browser","cors-proxy","golang","hacktool","http-proxy","mitm","mitmproxy","proxy-server","tools","typescript","xss","xss-exploitation"],"created_at":"2024-10-18T18:06:41.802Z","updated_at":"2025-04-16T16:31:40.566Z","avatar_url":"https://github.com/Esonhugh.png","language":"Go","readme":"# ProxyInBrowser\n\nHere is Proxy in browser Project, a project that aims to provide a simple way in impersonate any web request with fetch API\nand create a simple http proxy service at local.\n\nYou can make request via http proxy and that request will send to the browser which executed payloads and let the browser request on behalf of you.\n\n## How to\n\nThe \"ProxyInBrowser\" project will established an HTTP proxy through a browser to execute web requests. It leverages the fetch API to allow a victim's browser to make customized requests as per the attacker's parameters, enabling the attacker to receive responses from the victim's browser. \n\nA typical use case for this project is in XSS (Cross-Site Scripting) attacks where, after injecting a generated malicious script, the payload from this project is automatically loaded, and JavaScript is executed to establish a WebSocket connection back to the attacker. The WebSocket is for command and control communication, which can bypass some CSP but will not automatically rebuilt unless the XSS trigger is reactivated. Also it will persist by using a specific client trace id inside localstorage, which allows controller backend knows which client is.\n\nThe main security measure against such exploits is a well-configured Content Security Policy (CSP) that can prevent XSS and block tools like ProxyInBrowser. \n\nThe primary technical challenge involves stripping browser HTTPS requests by using a methodology similar to Burp Suite to create an HTTP proxy and performing MITM attacks with self-signed CA certificates. This setup allows manipulation of Fetch API calls and CORS responses to bypass security measures in browsers, considering ongoing updates and security enhancements.\n\n## Installation\n\n### Pre-requisites\n\n```bash\nrlwrap # for better readline support\npbcopy # copy payload\n```\n\n### start\n\n```bash\nmake\n```\n\n## Usage\n\n```bash\n./server \n```\n\npaste payload on website or developer kit console.\n\n### Example\n\n```bash\nConsole\u003e help\n```\n\n### Usage Demo\n\n[![ProxyInBrowser Usage Demo](https://markdown-videos-api.jorgenkh.no/url?url=https%3A%2F%2Fyoutu.be%2FoJyczopfzrc)](https://youtu.be/oJyczopfzrc)\n\n## Known Issue\n\nno-cors mode fetch command will let chrome broswer ban javascript get response from some where. It will happen when cross site CDN js/image resource is included in that website.\n\nSo Fetch can't impersonate any request that browser does. :( \n\n## Sponsor\n\n[Patreon](https://patreon.com/Skyworshiper?utm_medium=unknown\u0026utm_source=join_link\u0026utm_campaign=creatorshare_creator\u0026utm_content=copyLink)","funding_links":["https://patreon.com/Skyworshiper?utm_medium=unknown\u0026utm_source=join_link\u0026utm_campaign=creatorshare_creator\u0026utm_content=copyLink"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fesonhugh%2Fproxyinbrowser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fesonhugh%2Fproxyinbrowser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fesonhugh%2Fproxyinbrowser/lists"}