[PR #1155] fixed: handle all optional cookies for given domain #177

New issue

Open

opened 2026-02-26 02:31:30 +03:00 by kerem · 0 comments

kerem commented 2026-02-26 02:31:30 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/kgretzky/evilginx2/pull/1155
Author: @callightmn
Created: 1/13/2025
Status: 🔄 Open

Base: master ← Head: fix/opt_tokens

---

📝 Commits (1)

• d2bb9c7 fixed: support optional cookie even if single one for domain

📊 Changes

1 file changed (+3 additions, -1 deletions)

View changed files

📝 core/session.go (+3 -1)

📄 Description

This quick fix makes it possible, in the absence of authorization URL, to mark all cookie tokens as optional for a given domain while having other mandatory tokens, that is http or body tokens, or even non-optional cookie tokens for another domain.

Code analysis:

In the edge case where all cookie tokens are optional and no authorization URL is provided, Evilginx will indeed never consider the session as finished since AllCookieAuthTokensCaptured will always return false. This is because the tcopy array will contain from the start (first for) an empty array which will never be deleted (second for). In the absence of authorization URL, Evilginx currently stores sessions in the database only if this function returns true at some point, which means in this case, sessions will not be displayed even though all mandatory tokens have been captured.

Example:

auth_tokens:
  - domain: 'akira.lab.evilginx.com'
    keys: ['token:opt']
    type: 'cookie'
  - domain: 'akira.lab.evilginx.com'
    path: '/me'
    name: 'name'
    search: '"name":"(.*)",'
    type: 'body'

Without the fix:

With the fix:

NB: In this case, the optional cookie is delivered before the (mandatory) body token, which is why we see it displayed in the session information. If it had been delivered after the body token, it wouldn't have been displayed at all:

auth_tokens:
  - domain: 'akira.lab.evilginx.com'
    keys: ['token:opt']
    type: 'cookie'
  - domain: 'akira.lab.evilginx.com'
    path: '/login'
    name: 'ticket'
    search: '"ticket":"([^"]*)"'
    type: 'body'

In this last case, the only way to capture the optional cookie is to use an authorization URL.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/kgretzky/evilginx2/pull/1155 **Author:** [@callightmn](https://github.com/callightmn) **Created:** 1/13/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `fix/opt_tokens` --- ### 📝 Commits (1) - [`d2bb9c7`](https://github.com/kgretzky/evilginx2/commit/d2bb9c7a4ab2aaf9d9f5b62cbfa42f7969f0cbee) fixed: support optional cookie even if single one for domain ### 📊 Changes **1 file changed** (+3 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `core/session.go` (+3 -1) </details> ### 📄 Description This quick fix makes it possible, **in the absence of authorization URL**, to mark all cookie tokens as optional for a given `domain` while having other mandatory tokens, that is http or body tokens, or even non-optional cookie tokens for another `domain`. Code analysis: In the edge case where all cookie tokens are optional and no authorization URL is provided, Evilginx will indeed never consider the session as finished since `AllCookieAuthTokensCaptured` will always return `false`. This is because the `tcopy` array will contain from the start (first `for`) an empty array which will never be deleted (second `for`). In the absence of authorization URL, Evilginx currently stores sessions in the database only if this function returns `true` at some point, which means in this case, sessions will not be displayed even though all mandatory tokens have been captured. Example: ``` auth_tokens: - domain: 'akira.lab.evilginx.com' keys: ['token:opt'] type: 'cookie' - domain: 'akira.lab.evilginx.com' path: '/me' name: 'name' search: '"name":"(.*)",' type: 'body' ``` Without the fix: <img width="1314" alt="image" src="https://github.com/user-attachments/assets/66ba68ec-c0da-4f65-aef9-424df23422d9" /><br><br> With the fix: <img width="1299" alt="image" src="https://github.com/user-attachments/assets/05051629-50cd-4aad-b255-47cfbc9f0e0b" /><br><br> NB: In this case, the optional cookie is delivered **before** the (mandatory) body token, which is why we see it displayed in the session information. If it had been delivered **after** the body token, it wouldn't have been displayed at all: ``` auth_tokens: - domain: 'akira.lab.evilginx.com' keys: ['token:opt'] type: 'cookie' - domain: 'akira.lab.evilginx.com' path: '/login' name: 'ticket' search: '"ticket":"([^"]*)"' type: 'body' ``` <img width="948" alt="image" src="https://github.com/user-attachments/assets/dfece434-bf67-4051-b6cb-b9d483ea1865" /><br><br> In this last case, the only way to capture the optional cookie is to use an authorization URL. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem added the

pull-request

label 2026-02-26 02:31:30 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/golang.org/x/net-0.7.0

dependabot/go_modules/github.com/tidwall/gjson-1.9.3

dependabot/go_modules/github.com/miekg/dns-1.1.25

dev

v3.3.0

v3.2.0

v3.1.0

v3.0.0

2.4.0

2.3.0

2.2.0

2.0.0

Labels

Clear labels   

pull-request

Mirrored from GitHub Pull Request

No labels

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/evilginx2-kgretzky#177

No description provided.