I am not sure if this is the right place to post this topic. I've already mailed Marlinspike about the bugs. Just for reference, in case people encounter such problems later but can't figure out the solutions, I'll post them here too.

I was trying out SSL Strip the other day, and I found a couple of bugs in it. Well, three actually, if you count a minor miss in the link comparison. I'll list them out here:

1. (Minor miss) In the regexp for the link search, the "frame" tag has not been included. I fixed that to make it work for sites in which this was a problem.

2. (Relative Link) In the identification of a relative link, it is assumed that the relative link is a complete path from the root. That is not always the case as I found out yesterday with XAMPP. Thedindex.php at / redirects to /xampp/ and from then on, the links are relative to the /xampp/ directory. But, since the "Host" address is concatenated with the link address and added to the list, these links are missed. (e.g. the link head.php gets added as hxxp://site/head.php instead of hxxp://site/xampp/head.php)

3. (Favicon problem) Again, while testing with XAMPP, I observed that the XAMPP favicon was never replaced. I dug into the packets and saw that the request for the favicon was being generated as hxxp://site/favicon.ico which was not in the secure domain. Rather, hxxp://site/xampp was. Due to this, the lock symbol never showed up.

That's all. It's a nice little piece of code by the way!

I've never programmed in python before so I couldn't fix the last two bugs. If someone comes up with a patch, I think it would be generally appreciated.

Cheers!

~~
Naumz