Subdomain issue, DecodeSubdomain about modlishka HOT 15 CLOSED

It's replacing the target domain with the phishing domain, because it's actually what makes it work against most of the websites. it's a bit more than just a standard RP ;-) ... there are also few other tricks inside the code.

Why are you setting these (usually they are not required to handle that type of fqdns)? Try removing them and run the tool:

"targetResources": "abc.mytargetcdn.com",
"targetRules": "YWJjLm15dGFyZ2V0Y2RuLmNvbQ==:YWJjLm15cGlzaGRvbS5jb20=:",

from modlishka.

I need to replace referer header on requests cause I do referer check on cdn site for each request :) If I try removing the above two configs and try, I get 403 response code due to referer control.

from modlishka.

Hm, Referer header should be also automatically handled and sent as the target domain.
Basically I am stripping all possible information from the headers that could indicate that the traffic is proxied - works like a charm for red teaming :D

-rules parameter currently only replaces content in HTTP response body
If you want to modify the requests, you can do this through a plugin. there's a template inside plugins/ dir. Just define your function and enable it in your config:

//process HTTP request
s.HTTPRequest = func(req *http.Request, context HTTPContext) {}

from modlishka.

This is the log of cdn webserver that shows referer header is the still same and not replaced with target domain.. Referer info should be same with target domain info in this scenario to pass referer control in cdn side.

x.x.x.x - - [16/Jan/2019:15:11:18 +0100] "GET /xxx/app/xx.js?v=fdfdf28 HTTP/1.1" 403 192 "https://mypishdom.com/" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "x.x.x.x"

from modlishka.

It seems like a bug.
In the debug log, do you have any entry like this:
Patching request Referer [%s] -> [%s]" ?

from modlishka.

I see. No out is displayed when debug mod is on.

./dist/proxy -config myconf.json -debug
..
.
Listening on: [x.x.x.x:443]
Proxying [mypishdom.com":443] via --> [https://mytargetdom.com]

from modlishka.

You have to enable it in the JSON config.

from modlishka.

Attached log
subdom.txt

from modlishka.

[Wed Jan 16 15:00:45 2019] DBG Patching request Referer [https://mytargetdom.com/] -> [https://mytargetdom.com/]

All of the Referer headers seem to be set properly.
Do you have an HTTP redirect when you access the page?

from modlishka.

There is no redirection configured at cdn and target domain side and there are some css files that are not displayed debug logs too.
Only logged file in debug "type[application/javascript]" is also downloaded from targetdomain not from cdn. I think files (in cdn location) that are returned 403 are not logged.

from modlishka.

weird. I would need more info to understand the exact cause of this. if possible please PM your config and I will see what's going on.

from modlishka.

Sure I will.
Thanks

from modlishka.

By the way, I could not see your email on your profile :)

from modlishka.

What I've realized that Issues are closed without being solved here..

from modlishka.

please PM on twitter or paste your full config here. Currently there's no bug in the tool based on the what you have sent...

from modlishka.