Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.22k
stars
1.87k
forks
source link
Fix for force_post to allow interception without evilginx session #1069
This is a fix for an issue where EvilGinx will not do force_post replacement for requests to a phished domain if cookies (in particular the EvilGinx session cookie) are not included with the request. This is breaking proper interception of authentication flows where for example part of the process has a request made using JavaScript without adding cookies.
Have fixed by moving the existing force_post code into its own if branch that does not check for a evilginx session and adding a requirement for the request method to be "POST" - figured that since force_post has its own fairly specific conditions for matching requests that the session requirement can be overlooked
This is a fix for an issue where EvilGinx will not do force_post replacement for requests to a phished domain if cookies (in particular the EvilGinx session cookie) are not included with the request. This is breaking proper interception of authentication flows where for example part of the process has a request made using JavaScript without adding cookies.
An example affected issue is here:
https://github.com/kgretzky/evilginx2/issues/1031
Have fixed by moving the existing force_post code into its own if branch that does not check for a evilginx session and adding a requirement for the request method to be "POST" - figured that since force_post has its own fairly specific conditions for matching requests that the session requirement can be overlooked