Initial release v1.0.0

.github/workflows/xgo.yml

@@ -0,0 +1,71 @@
+name: Release Tags
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Fetch Version from Tag
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+      # Build and release CFFI artifacts
+
+      - name: Build CFFI
+        uses: crazy-max/ghaction-xgo@v3
+        with:
+          xgo_version: latest
+          go_version: latest
+          dest: cffi_dist
+          prefix: hazetunnel-api-${{ env.VERSION }}
+          targets: "*/*"
+          v: true
+          race: false
+          ldflags: -s -w
+          buildmode: c-shared
+          trimpath: true
+          working_dir: hazetunnel
+
+      - name: Upload CFFI Build Artifacts to Workflow
+        uses: actions/upload-artifact@v3
+        with:
+          name: cffi-build-artifacts-${{ env.VERSION }}
+          path: hazetunnel/cffi_dist/**
+
+      - name: Upload Release Assets with action-gh-release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: hazetunnel/cffi_dist/*
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Build CLI artifacts
+
+      - name: Build CLI
+        uses: crazy-max/ghaction-xgo@v3
+        with:
+          xgo_version: latest
+          go_version: latest
+          dest: cli_dist
+          prefix: hazetunnel-cli-${{ env.VERSION }}
+          targets: "*/*"
+          v: true
+          race: false
+          ldflags: -s -w
+          buildmode: default
+          trimpath: true
+          working_dir: hazetunnel
+
+      - name: Upload CLI Build Artifacts to Workflow
+        uses: actions/upload-artifact@v3
+        with:
+          name: cli-build-artifacts-${{ env.VERSION }}
+          path: hazetunnel/cli_dist/**
+
+permissions:
+  contents: write

.gitignore

@@ -0,0 +1,24 @@
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+*.pem
+credentials

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 daijro, rosahaj
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,108 @@
+<h1 align="center">
+    Hazetunnel
+</h1>
+
+<h3 align="center">
+    🔮 Vindicate non-organic web traffic
+</h3>
+
+---
+
+Hazetunnel is an MITM proxy that attempts to legitimize [BrowserForge](https://github.com/daijro/browserforge/)'s injected-browser web traffic by hijacking the TLS fingerprint to mirror the passed User-Agent.
+
+Additionally, it can inject a Javascript payload into the web page to defend against [worker fingerprinting](https://github.com/arkenfox/user.js/issues/1163).
+
+<hr width=50>
+
+### Features ✨
+
+- Anti TLS fingerprinting 🪪
+
+  - Emulate the ClientHello of browsers based on the passed User-Agent (e.g. Chrome/120)
+  - Bypasses TLS fingerprinting checks
+
+- Javascript payload injection 💉
+
+  - Prepends payload to all Javascript responses, including the web page Service/Shared worker scope.
+  - Injects payload into embedded base64 encoded JavaScript within HTML responses ([see here](https://github.com/apify/fingerprint-suite/issues/64#issuecomment-1282877696))
+
+This project was built on [tlsproxy](https://github.com/rosahaj/tlsproxy), please leave them a star!
+
+---
+
+## Integration
+
+### Header table
+
+Add the following headers to each request to the proxy:
+
+| Header            | Description                                                                      | Example                                       |
+| ----------------- | -------------------------------------------------------------------------------- | --------------------------------------------- |
+| `x-mitm-payload`  | Inject a JavaScript payload into the response.                                   | `alert('Hello world');`                       |
+| `x-mitm-upstream` | Optionally forward the request to the upstream proxy. Must be socks5 or socks5h. | `socks5://user:[email protected]:7000` |
+
+### Curl
+
+Assuming Hazetunnel is running on `localhost:8080`:
+
+```bash
+curl \
+--proxy http://localhost:8080 \
+--cacert cert.pem \
+"https://example.com" \
+-H "x-mitm-payload: alert('Hello world');"
+```
+
+### Python Requests
+
+```py
+requests.get(
+    'https://example.com',
+    headers={
+      'x-mitm-payload': 'alert("Hello world");'
+    },
+    proxies={
+      'http': 'http://localhost:8080',
+      'https': 'http://localhost:8080',
+    },
+    verify='cert.pem'
+)
+```
+
+<hr width=50>
+
+## Building
+
+### CFFI
+
+Pre-built C shared library binaries provided in [Releases](https://github.com/daijro/hazetunnel/releases).
+
+Otherwise, you can build these yourself using the `build.bat` file provided.
+
+### CLI
+
+#### Building from source
+
+```bash
+git clone https://github.com/daijro/hazetunnel
+cd hazetunnel
+go build
+```
+
+#### Usage
+
+```
+Usage of ./hazetunnel:
+  -addr string
+        Proxy listen address
+  -cert string
+        TLS CA certificate (generated automatically if not present) (default "cert.pem")
+  -key string
+        TLS CA key (generated automatically if not present) (default "key.pem")
+  -port string
+        Proxy listen port (default "8080")
+  -verbose
+        Enable verbose logging
+```
+
+---

VERSION

@@ -0,0 +1 @@
+1.0.0

example/server.py

@@ -0,0 +1,59 @@
+"""
+This is an example server to test the capabilities of hazetunnel.
+
+Example command for testing HTML injection,
+Assuming hazetunnel is running on 8080, and this server on 5000:
+
+curl --proxy http://localhost:8080 \
+    --insecure http://localhost:5000/html \
+    -H "x-mitm-payload: alert('Hello world');" \
+    -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
+
+Example command for testing JavaScript injection:
+
+curl --proxy http://localhost:8080
+    --insecure http://localhost:5000/js \
+    -H "x-mitm-payload: alert('Hello world');" \
+    -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
+"""
+
+from base64 import b64encode
+
+from flask import Flask, Response
+
+app = Flask(__name__)
+
+# JavaScript script to be served
+js_script = "console.log('Original JavaScript executed.');"
+# Encode the JavaScript script in base64
+encoded_js_script = b64encode(js_script.encode()).decode('utf-8')
+
+# HTML content with an embedded base64 JavaScript blob
+html_content = f"""
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Testing Page</title>
+</head>
+<body>
+    <h1>Base64 JavaScript Testing Page</h1>
+    <p>This page includes an embedded base64 encoded JavaScript for testing.</p>
+    <!-- Embedding the JavaScript directly using a data URI scheme -->
+    <script src="data:application/javascript;base64,{encoded_js_script}"></script>
+</body>
+</html>
+"""
+
+
+@app.route('/html')
+def home():
+    return html_content
+
+
+@app.route('/js')
+def serve_js():
+    return Response(js_script, mimetype='application/javascript')
+
+
+if __name__ == '__main__':
+    app.run(debug=True)

hazetunnel/cert.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"log"
+	"os"
+
+	"github.com/elazarl/goproxy"
+
+	cfsr "github.com/cloudflare/cfssl/csr"
+	"github.com/cloudflare/cfssl/initca"
+)
+
+func fileExists(filename string) bool {
+	_, err := os.Stat(filename)
+	return !os.IsNotExist(err)
+}
+
+func setGoproxyCA(tlsCert tls.Certificate) {
+	var err error
+	if tlsCert.Leaf, err = x509.ParseCertificate(tlsCert.Certificate[0]); err != nil {
+		log.Fatal("Unable to parse ca", err)
+	}
+
+	goproxy.GoproxyCa = tlsCert
+	goproxy.OkConnect = &goproxy.ConnectAction{Action: goproxy.ConnectAccept, TLSConfig: goproxy.TLSConfigFromCA(&tlsCert)}
+	goproxy.MitmConnect = &goproxy.ConnectAction{Action: goproxy.ConnectMitm, TLSConfig: goproxy.TLSConfigFromCA(&tlsCert)}
+	goproxy.HTTPMitmConnect = &goproxy.ConnectAction{Action: goproxy.ConnectHTTPMitm, TLSConfig: goproxy.TLSConfigFromCA(&tlsCert)}
+	goproxy.RejectConnect = &goproxy.ConnectAction{Action: goproxy.ConnectReject, TLSConfig: goproxy.TLSConfigFromCA(&tlsCert)}
+}
+
+func loadCA() {
+	if fileExists(Flags.Cert) && fileExists(Flags.Key) {
+		tlsCert, err := tls.LoadX509KeyPair(Flags.Cert, Flags.Key)
+		if err != nil {
+			log.Fatal("Unable to load CA certificate and key", err)
+		}
+
+		setGoproxyCA(tlsCert)
+	} else {
+		if fileExists(Flags.Cert) {
+			log.Fatalf("CA certificate exists, but found no corresponding key at %s", Flags.Key)
+		} else if fileExists(Flags.Key) {
+			log.Fatalf("CA key exists, but found no corresponding certificate at %s", Flags.Cert)
+		}
+
+		log.Println("No CA found, generating certificate and key")
+		tlsCert, err := generateCA()
+		if err != nil {
+			log.Fatal("Unable to generate CA certificate and key", err)
+		}
+
+		setGoproxyCA(tlsCert)
+	}
+}
+
+func generateCA() (tls.Certificate, error) {
+	csr := cfsr.CertificateRequest{
+		CN:         "tlsproxy CA",
+		KeyRequest: cfsr.NewKeyRequest(),
+	}
+
+	certPEM, _, keyPEM, err := initca.New(&csr)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	caOut, err := os.Create(Flags.Cert)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	defer caOut.Close()
+	_, err = caOut.Write(certPEM)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	keyOut, err := os.OpenFile(Flags.Key, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	defer keyOut.Close()
+
+	_, err = keyOut.Write(keyPEM)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	return tls.X509KeyPair(certPEM, keyPEM)
+}