Spoof and Modify HTTP Headers Using Squid Proxy

Hello my fellow friends, today we'll talk about how we can spoof HTTP header with Squid Proxy. There is another way, which is to use a browser plugin; although it is much easier, it is limited to just the browser itself. Please check out this link to see the browser plugin method.

Introduction

Squid proxy is generally robust, and can be customised based on your needs. Basically, it is used for caching and forwarding web content. Learn more about Squid proxy here

What are HTTP Headers?

Examples of HTTP headers. Use $ curl -I http:example.com to see the HTTP header or with -v for verbose output. Below is the example of my HTTP header to example.com. Learn more about HTTP headers here.

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Sun, 08 Oct 2017 04:32:01 GMT
Etag: "359670651"
Expires: Sun, 15 Oct 2017 04:32:01 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (oxr/837E)
X-Cache: HIT
Content-Length: 1270

Steps

To spoof the HTTP headers, you need to enable an option --enable-http-violation in the Squid, but the default installation doesn't enabled the HTTP-violation option. This must be enabled manually from source. This build installation successfully tested on Debian.

Here's a tip, if you might want to rebuild a package and perform some modifications, it is easily done in Debian based systems.

Before you can start downloading the source, you have to add deb-src to your /etc/apt/sources.list in order to be able to download sources files of a package.

1. Enable sources in repositories

List of package repositories are written in /etc/apt/sources.list. Go edit the file using your favorite editor.

$ sudo nano /etc/apt/sources.list

If you're using Debian, your package repo may contain something like this:

deb  http://deb.debian.org/debian stretch main contrib non-free

With only that, you can't download any source packages from the repositories. You have to add deb-src to enable package sources like the following:

deb  http://deb.debian.org/debian stretch main contrib non-free
deb-src  http://deb.debian.org/debian stretch main contrib non-free

Save the file and run update to update the repositories with the newly added deb-src.

$ sudo apt clean
$ sudo apt update

2. Download Squid source and build dependencies

After we've done added the deb-src in repositories, now we can download any source package that we want. In this case we're going to download Squid package by running:

$ sudo apt source squid3

After done download the source, we need to build package dependencies by running:

$ sudo apt build-dep squid3

This should download and install packages that needed to build the squid package. After building the dependencies, we are now can do the modification to enable the http-violation.

3. Modify the package

The option that we need in this case is --enable-http-violations. add the option in debian/rules.

$ sudo nano squid3-3.5.23/debian/rules

You should fine something similar like this:

DEB_CONFIGURE_EXTRA_FLAGS := BUILDCXXFLAGS="$(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS)" \
                --datadir=/usr/share/squid \
                --sysconfdir=/etc/squid \
                --libexecdir=/usr/lib/squid \
                --mandir=/usr/share/man \
                --enable-inline \
                --disable-arch-native \
                --enable-async-io=8 \
                --enable-storeio="ufs,aufs,diskd,rock" \
                --enable-removal-policies="lru,heap" \
                --enable-delay-pools \
                --enable-cache-digests \
                --enable-icap-client \
                --enable-follow-x-forwarded-for \
                --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
                --enable-auth-digest="file,LDAP" \
                --enable-auth-negotiate="kerberos,wrapper" \
                --enable-auth-ntlm="fake,smb_lm" \
                --enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group" \
                --enable-url-rewrite-helpers="fake" \
                --enable-eui \
                --enable-esi \
                --enable-icmp \
                --enable-zph-qos \
                --enable-ecap \
                --disable-translation \
                --with-swapdir=/var/spool/squid \
                --with-logdir=/var/log/squid \
                --with-pidfile=/var/run/squid.pid \
                --with-filedescriptors=65536 \
                --with-large-files \
                --with-default-user=proxy

These are the list of Squid options that are enabled by default. At the bottom of the config options, add --enable-http-violations (or any other options that you want) which make it look like this:

                [...]
                --with-large-files \
                --with-default-user=proxy \ 
                --enable-http-violations

Save and close the file.

4. Rebuild the package with custom options

After done adding the options that you need, we are now ready to build the package. To do this, we need to install some packages in your system.

$ sudo apt install devscripts build-essential libdbi-perl

After successfull installation, we can now proceed to build the package. Before we proceed, you need to cd into your package source file directory.

$ cd squid3-3.5.23
$ sudo debuild -us -uc -b

This rebuild process may takes some times. If everythings good, you'll find .deb file package in parent directory. You can install them all using the following command:

$ sudo dpkg -i squid*.deb

This return errors to me, If you conters the same, we can fix that by running the following and try reinstalling it back.

$ sudo apt --fix-broken install
$ sudo dpkg -i squid*.deb

After done install, your Squid service is now running. You can check verify it by:

$ sudo service squid status

Check if the installation with --enable-http-violations

$ sudo squid -v | grep violations --color

If everythings gone right. You now successfully install Squid package from source!

5. Configuring the proxy server

Edit Squid configuration file locate at /etc/squid3/squid.conf and find the line

# And finally deny all other access to this proxy
http_access deny all

Change it to

# And finally deny all other access to this proxy
http_access allow all

Testing the proxy

$ curl -I http://example.com --proxy http://127.0.0.1:3128
HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Sat, 07 Oct 2017 19:24:50 GMT
ETag: "359670651"
Expires: Sat, 14 Oct 2017 19:24:50 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: MyOwn/1.1
X-Cache: HIT
Content-Length: 606
X-Cache: MISS from kali
X-Cache-Lookup: MISS from kali:3128
Via: 1.1 kali (squid/3.5.27)
Connection: keep-alive

As we can see Via: 1.1 kali (squid/3.5.27) in the response, our proxy is working.

Spoofing request headers

Usage:   request_header_replace header_name message
Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)

This option allows you to change the contents of headers denied with request_header_access above, by replacing them with some fixed string. This only applies to request headers, not reply headers. By default, headers are removed if denied or leave it blanks.

Now we are going to spoof sent request headers, let's change our User-Agent and Referer to something else. You can get User-Agent list here. Go to the last line and add the following.

### Spoofing Request Headers ###
# Block header value User-Agent from being sent to server and modify them
request_header_access User-Agent deny all
request_header_replace User-Agent MyNewUserAgent/1.1
 
# Block header value Referer from being sent to server and modify them
request_header_access Referer deny all
request_header_replace Referer example.com

request_header_access directive allows us to blocks a value in HTTP sent request. request_header_replace directive is use to replace blocked HTTP header value, as we used it to replace User-Agent and Referer. You can use these template to spoof any HTTP request header.

Restart squid, set your browser proxy to 127.0.0.1:3128 and check your header.

$ sudo service squid restart

Spoofing response headers

Usage:   reply_header_replace header_name message
Example: reply_header_replace Server Foo/1.0

This option allows you to change the contents of headers denied with reply_header_access above, by replacing them with some fixed string. This only applies to reply headers, not request headers. By default, headers are removed if denied or leave it blanks.

As request headers can be spoofed, so can response headers. Using same method as above but with reply_header_access and reply_header_replace

We can replace the Server signature sent from the server to something else by adding:

### Spoofing response header ###
reply_header_access Server deny all
reply_header_replace Server MyOwnServer/1.1

Save and restart Squid, your response should be what you set.

Adding Custom Header Parameter

As we can modify these headers, we can also add our custom header. This is easily done by adding this line

# For HTTP Request
request_header_add Author IceM4nn
 
# For HTTP Response (This directive is not available in Squid 3.5.x)
# reply_header_add CustomValue true

Save, and don’t forget to restart Squid.

Post installation

1. Update your firewall settings

If you install this on a server, you may need to open allow squid port in your firewall. You can done this using by using ufw:

$ sudo ufw allow 3128/tcp comment "Squid Proxy"

2. Hold Squid from update

This is important to keep your current Squid build stay as it is and not update it with new Squid installation without custom options that we need.

If you not do this, next time Squid push an update, this will overwrite our current Squid installation. To hold Squid from update enter the following command:

$ sudo dpkg --get-selections | grep squid
$ sudo apt-mark hold squid squid-common squid-dbg

To get updated Squid package with custom build, everytime Squid update available, you must build it again with the latest version. Uninstall old version and install the new package.

3. Enable auto startup on boot

This might helpful to make Squid automatically start on boot.

$ sudo systemctl start squid.service
$ sudo systemctl enable squid.service

4. View all enable configs

To see all enable config in clean look (remove any commented lines).

$ grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
 or
$ cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

To completely uninstall

Make sure you disable and stop the service before uninstall it.

$ sudo service squid stop
$ sudo systemctl disable squid.service
$ sudo apt remove --purge squid* squidclient squid-cgi squid-common squid-langpack squid-purge

Find any leftover directories, and remove them.

$ find / -name squid*
$ sudo rm -r /usr/share/squid-langpack/
$ sudo rm -r /usr/share/squid3/

Deny firewall entries.

$ sudo ufw deny 3128/tcp

Summary

Hopefully, you now know how to use Squid Proxy to spoof HTTP headers. Squid has many features as it is robust, and actually this application is just the tip of the iceberg. Check out squid-cache wiki for more.

Hazmirul Afiq

Read more posts by this author.