Allow secure cookies (#279)

* go fmt

* Allow Secure Cookies

* gitignore

* Merging changes from arch4ngel/static-locations

* Dev/hacks (#2)

* Trying out some things to fix using a target domain that isn't a TLD+1

* Adding meta refresh to control panel page

* Added Timestamp for victims

* Hopefully fixed the html template

* More fixes

* One timestamp to rule them all....

* Fixed the htmltemplate for the control panel

* Always set "Access-Control-Allow-Origin" to the original origin

* Created a volume in the Dockerfile

* Indent the JSON cookies for the control panel

* Dev/control delete victim (#3)

* Added a delete button to the control panel UI

* Allow an empty user_id when deleting a victim

* Removed vendor directory

* fix cert serial

* Put cookies in a pre tag

* dont decode body before matching passwords... some people may have & in their password...

* sometimes we dont want to force everything to be proxied...

* fix regex

* go back to old password logic, if it happens again we can fix it in the matcher regexp (hopefully)

* added .microsoft file extension to regex variables in runtime/const.go so O365 websites can be rewritten

* Added a download data button that, when clicked, will go through the list of users and ONLY download the information of people who entered in a username or password. The items that get downloaded are the UUID, the username, and the Termination Status. The purpose of this functionality is to retrieve this data and combine it with data from GoPhish to create a nice word document to help track phished users and their actions. This can be done for the client or for our own records.

* Update const.go

removed 'ge' from regex

* add dist directory to .gitignore

* Track the user agent string and display with the cookies.

* patch cookie values with rules

* Redirect to the termination URL sooner.

* Option to disable the use of dynamic subdomains.

* Option to change which domain a request goes to based on the URL path. Useful in combination with disableDynamicSubdomains.

* fix failing test

* fix format string

* run tests on push

---------

Co-authored-by: Josh Roberts <joshua.roberts@stage2sec.com>
Co-authored-by: Josh <80706317+JoshRobertsS2@users.noreply.github.com>
Co-authored-by: dfktvS2 <64235915+dfktvS2@users.noreply.github.com>
Co-authored-by: peter cipolone <peter.cipolone@uvcyber.com>
Co-authored-by: ROBot_UV <81599676+UV-ROBot@users.noreply.github.com>
Co-authored-by: Paul Whiting <PaulWhitingS2@users.noreply.github.com>

Author: 6 people

.github/workflows/reviewdog.yml

@@ -0,0 +1,40 @@
+name: reviewdog
+on:
+  pull_request_target:
+    branches:
+      - master
+  push:
+    branches:
+      - master
+jobs:
+  reviewdog:
+    name: reviewdog
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version: '1.23'
+
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@ad258d848807ac956c978b391895800cb4237c1a # v3.88.24
+        with:
+          extra_args: --results=verified,unknown
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: Test
+        run: go test -v ./...
+
+      - uses: reviewdog/action-staticcheck@73cfd0daa6fdbba9a858dcb0f62844012fa8317d # v1.27.0
+        with:
+          fail_on_error: true
+      - uses: reviewdog/action-setup@e04ffabe3898a0af8d0fb1af00c188831c4b5893 # v1.3.2
+      - name: Run reviewdog
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          reviewdog -reporter=github-pr-review -runners=gofmt

.gitignore

@@ -0,0 +1,4 @@
+control_plugin_data.db
+Modlishka
+test-config.json
+dist/

.reviewdog.yml

@@ -0,0 +1,7 @@
+runner:
+  govet:
+    cmd: go vet ./...
+    format: govet
+  gofmt:
+    cmd: test -z $(gofmt -l  .) || (gofmt -s -d  . && exit 1)
+    format: diff

config/config.go

@@ -18,33 +18,39 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"flag"
-	"github.com/drk1wi/Modlishka/log"
 	"io"
 	"os"
+
+	"github.com/drk1wi/Modlishka/log"
 )
 
 type Options struct {
-	ProxyDomain          *string `json:"proxyDomain"`
-	ListeningAddress     *string `json:"listeningAddress"`
-	ListeningPortHTTP    *int    `json:"listeningPortHTTP"`
-	ListeningPortHTTPS   *int    `json:"listeningPortHTTPS"`
-	ProxyAddress     	 *string `json:"proxyAddress"`
-	Target               *string `json:"target"`
-	TargetRes            *string `json:"targetResources"`
-	TargetRules          *string `json:"rules"`
-	JsRules              *string `json:"jsRules"`
-	TerminateTriggers    *string `json:"terminateTriggers"`
-	TerminateRedirectUrl *string `json:"terminateRedirectUrl"`
-	TrackingCookie       *string `json:"trackingCookie"`
-	TrackingParam        *string `json:"trackingParam"`
-	Debug                *bool   `json:"debug"`
-	ForceHTTPS           *bool   `json:"forceHTTPS"`
-	ForceHTTP            *bool   `json:"forceHTTP"`
-	LogPostOnly          *bool   `json:"logPostOnly"`
-	DisableSecurity      *bool   `json:"disableSecurity"`
-	DynamicMode          *bool   `json:"dynamicMode"`
-	LogRequestFile       *string `json:"log"`
-	Plugins              *string `json:"plugins"`
+	ProxyDomain            *string `json:"proxyDomain"`
+	ListeningAddress       *string `json:"listeningAddress"`
+	ListeningPortHTTP      *int    `json:"listeningPortHTTP"`
+	ListeningPortHTTPS     *int    `json:"listeningPortHTTPS"`
+	ProxyAddress           *string `json:"proxyAddress"`
+	StaticLocations        *string `json:"staticLocations"`
+	Target                 *string `json:"target"`
+	TargetRes              *string `json:"targetResources"`
+	TargetRules            *string `json:"rules"`
+	JsRules                *string `json:"jsRules"`
+	TerminateTriggers      *string `json:"terminateTriggers"`
+	TerminateRedirectUrl   *string `json:"terminateRedirectUrl"`
+	TrackingCookie         *string `json:"trackingCookie"`
+	TrackingParam          *string `json:"trackingParam"`
+	Debug                  *bool   `json:"debug"`
+	ForceHTTPS             *bool   `json:"forceHTTPS"`
+	ForceHTTP              *bool   `json:"forceHTTP"`
+	LogPostOnly            *bool   `json:"logPostOnly"`
+	DisableSecurity        *bool   `json:"disableSecurity"`
+	DynamicMode            *bool   `json:"dynamicMode"`
+	LogRequestFile         *string `json:"log"`
+	Plugins                *string `json:"plugins"`
+	AllowSecureCookies     *bool   `json:"allowSecureCookies"`
+	IgnoreTranslateDomains *string `json:"ignoreTranslateDomains"`
+	DisableDynamicSubdomains *bool `json:"disableDynamicSubdomains"`
+	PathHostRules          *string `json:"pathHostRules"`
 	*TLSConfig
 }
 
@@ -56,38 +62,44 @@ type TLSConfig struct {
 
 var (
 	C = Options{
-		ProxyDomain:      flag.String("proxyDomain", "", "Proxy domain name that will be used - e.g.: proxy.tld"),
-		ListeningAddress: flag.String("listeningAddress", "127.0.0.1", "Listening address - e.g.: 0.0.0.0 "),
-		ListeningPortHTTP: flag.Int("listeningPortHTTP", 80, "Listening port for HTTP requests"),
+		ProxyDomain:        flag.String("proxyDomain", "", "Proxy domain name that will be used - e.g.: proxy.tld"),
+		ListeningAddress:   flag.String("listeningAddress", "127.0.0.1", "Listening address - e.g.: 0.0.0.0 "),
+		ListeningPortHTTP:  flag.Int("listeningPortHTTP", 80, "Listening port for HTTP requests"),
 		ListeningPortHTTPS: flag.Int("listeningPortHTTPS", 443, "Listening port for HTTPS requests"),
-		Target:           flag.String("target", "", "Target  domain name  - e.g.: target.tld"),
+		Target:             flag.String("target", "", "Target  domain name  - e.g.: target.tld"),
 		TargetRes: flag.String("targetRes", "",
 			"Comma separated list of domains that were not translated automatically. Use this to force domain translation - e.g.: static.target.tld"),
 		TerminateTriggers: flag.String("terminateTriggers", "",
 			"Session termination: Comma separated list of URLs from target's origin which will trigger session termination"),
 		TerminateRedirectUrl: flag.String("terminateUrl", "",
 			"URL to which a client will be redirected after Session Termination rules trigger"),
 		TargetRules: flag.String("rules", "",
-			"Comma separated list of 'string' patterns and their replacements - e.g.: base64(new):base64(old),"+
-				"base64(newer):base64(older)"),
+			"Comma separated list of 'string' patterns and their replacements - e.g.: base64(old):base64(new),base64(older):base64(newer)"),
 		JsRules: flag.String("jsRules", "", "Comma separated list of URL patterns and JS base64 encoded payloads that will be injected - e.g.: target.tld:base64(alert(1)),..,etc"),
 
-		ProxyAddress: flag.String("proxyAddress", "", "Proxy that should be used (socks/https/http) - e.g.: http://127.0.0.1:8080 "),
+		ProxyAddress:    flag.String("proxyAddress", "", "Proxy that should be used (socks/https/http) - e.g.: http://127.0.0.1:8080 "),
+		StaticLocations: flag.String("staticLocations", "", "FQDNs in location headers that should be preserved."),
 
-		TrackingCookie: flag.String("trackingCookie", "id", "Name of the HTTP cookie used for track the client"),
-		TrackingParam:  flag.String("trackingParam", "id", "Name of the HTTP parameter used to set up the HTTP cookie tracking of the client"),
+		TrackingCookie:  flag.String("trackingCookie", "id", "Name of the HTTP cookie used for track the client"),
+		TrackingParam:   flag.String("trackingParam", "id", "Name of the HTTP parameter used to set up the HTTP cookie tracking of the client"),
 		Debug:           flag.Bool("debug", false, "Print extra debug information"),
 		DisableSecurity: flag.Bool("disableSecurity", false, "Disable proxy security features like anti-SSRF. 'Here be dragons' - disable at your own risk."),
-		DynamicMode: flag.Bool("dynamicMode", false, "Enable dynamic mode for 'Client Domain Hooking'"),
+		DynamicMode:     flag.Bool("dynamicMode", false, "Enable dynamic mode for 'Client Domain Hooking'"),
 
-		ForceHTTP:           flag.Bool("forceHTTP", false, "Strip all TLS from the traffic and proxy through HTTP only"),
-		ForceHTTPS:           flag.Bool("forceHTTPS", false, "Strip all clear-text from the traffic and proxy through HTTPS only"),
+		ForceHTTP:  flag.Bool("forceHTTP", false, "Strip all TLS from the traffic and proxy through HTTP only"),
+		ForceHTTPS: flag.Bool("forceHTTPS", false, "Strip all clear-text from the traffic and proxy through HTTPS only"),
 
 		LogRequestFile: flag.String("log", "", "Local file to which fetched requests will be written (appended)"),
 
 		LogPostOnly: flag.Bool("postOnly", false, "Log only HTTP POST requests"),
 
-		Plugins: flag.String("plugins", "all", "Comma separated list of enabled plugin names"),
+		Plugins:                flag.String("plugins", "all", "Comma separated list of enabled plugin names"),
+		AllowSecureCookies:     flag.Bool("allowSecureCookies", false, "Allow secure cookies to be set. Useful for when you are using HTTPS and cookies have SameSite=None"),
+		IgnoreTranslateDomains: flag.String("ignoreTranslateDomains", "", "Comma separated list of domains to never translate and proxy"),
+
+		DisableDynamicSubdomains: flag.Bool("disableDynamicSubdomains", false, "Translate URL domain names to be the proxy domain"),
+		PathHostRules:            flag.String("pathHostRules", "",
+			"Comma separated list of URL path patterns and the target domains to send the requests to - e.g.: /path/:example.com,/path2:www.example.com"),
 	}
 
 	s = TLSConfig{
@@ -141,7 +153,6 @@ func ParseConfiguration() Options {
 
 	}
 
-
 	return C
 }
 
@@ -177,24 +188,21 @@ func (c *Options) VerifyConfiguration() {
 			flag.PrintDefaults()
 			os.Exit(1)
 		}
-	} else { 	// default + HTTPS wrapper
-
-			if len(*c.ProxyDomain) == 0 || len(*c.ProxyDomain) == 0 {
-				log.Warningf("Missing required parameters in oder start the proxy. Terminating.")
-				log.Warningf("TIP: You will need to specify at least the following parameters to serve the page over HTTP: proxyDomain and target.")
-				flag.PrintDefaults()
-				os.Exit(1)
-			}
+	} else { // default + HTTPS wrapper
 
+		if len(*c.ProxyDomain) == 0 || len(*c.ProxyDomain) == 0 {
+			log.Warningf("Missing required parameters in oder start the proxy. Terminating.")
+			log.Warningf("TIP: You will need to specify at least the following parameters to serve the page over HTTP: proxyDomain and target.")
+			flag.PrintDefaults()
+			os.Exit(1)
+		}
 
 	}
 
-
 	if *c.DynamicMode == true {
 		log.Warningf("Dynamic Mode enabled: Proxy will accept and hook all incoming HTTP requests.")
 	}
 
-
 	if *c.ForceHTTP == true {
 		log.Warningf("Force HTTP wrapper enabled: Proxy will strip all TLS traffic and handle requests over HTTP only")
 	}

core/helper.go

@@ -67,4 +67,4 @@ func Redirect(w http.ResponseWriter, r *http.Request, url string) {
 	} else {
 		http.Redirect(w, r, "http://"+runtime.TopLevelDomain, 302)
 	}
-}
+}