Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.26k
stars
1.87k
forks
source link
Support multiple credential sets on different login pages #953
Some websites also allow you to optionally log in with Gmail. This means that users may be entering application-specific credentials into the primary login page, or entering Gmail credentials into a proxied Google oauth page. However, Evilginx2 currently only supports identifying a single login page and a single set of credentials.
Currently, the only workaround I have found is to define two separate phishlets, having a dedicated Google phishlet operate for stealing the Google credentials. However, this creates a separate session and is not easily associated with the initial lure. While that's not really a problem if you're just trying to phish credentials, associating the act with the initial lure is important in a "white-hat" setting.
Some websites also allow you to optionally log in with Gmail. This means that users may be entering application-specific credentials into the primary login page, or entering Gmail credentials into a proxied Google oauth page. However, Evilginx2 currently only supports identifying a single login page and a single set of credentials.
Currently, the only workaround I have found is to define two separate phishlets, having a dedicated Google phishlet operate for stealing the Google credentials. However, this creates a separate session and is not easily associated with the initial lure. While that's not really a problem if you're just trying to phish credentials, associating the act with the initial lure is important in a "white-hat" setting.