Ability to create lure that matches all path `/*`

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

BSD 3-Clause "New" or "Revised" License

10.23k stars 1.87k forks source link

Ability to create lure that matches all path `/*` #1001

Open StackOverflowExcept1on opened 5 months ago

StackOverflowExcept1on commented 5 months ago

What if I want to proxy the entire site? In the current implementation, I would have to create a bunch of lures with all possible routes.

bigherocenter commented 5 months ago

tell more detail about your needs.

StackOverflowExcept1on commented 5 months ago

@bigherocenter for example I have a lure on the route / and the user enters on the route /oauth2.0/foo/bar?param=1. The user's request will be blocked in this case. I manually removed the code that blocks this in my fork and made the default route / for everything: 8287303d61637150012a2ac02c6223f3435f8eb5.

kpomeroy1979 commented 4 months ago

I am having the same issue I think. I use GoPhish to send the emails and it adds a /?rid=XXXXXXX to the end of each phishing URL. So when a client clicks the link, Evilginx thinks its 'unauthorized' and blocks access because its not the actual Lure URL (the lure URL does not include the ?rid=XXXXXX stuff added by GoPhish)