Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.72k
stars
1.94k
forks
source link
Phished URLs as parameters in redirects do not seem to be replaced by current logic #869
Hi, Kuba! I have a situation where to authenticate the user gets redirected to another site. One of the parameters is the return URL. So the redirect URL looks like https://x.com?return_url=https%3A%2F%2Fphishedurl.tld... I'd like it to be replaced with https://x.com?return_url=https%3A%2F%2Fphishingurl.tld. This doesn't seem to work. It looks like Location headers are not subject to substitution (other than hostnames). Is it correct? Thanks!
Hi, Kuba! I have a situation where to authenticate the user gets redirected to another site. One of the parameters is the return URL. So the redirect URL looks like https://x.com?return_url=https%3A%2F%2Fphishedurl.tld... I'd like it to be replaced with https://x.com?return_url=https%3A%2F%2Fphishingurl.tld. This doesn't seem to work. It looks like Location headers are not subject to substitution (other than hostnames). Is it correct? Thanks!