-
Notifications
You must be signed in to change notification settings - Fork 549
Server Pages With Jinja
The King Phisher server provides Jinja functions to create full HTML pages for common purposes. The full documentation for these functions can be found in the king_phisher.server.template_extras documentation. These functions can be used to quickly build a full HTML page by calling a single Jinja function.
The CSRF page generator will create an HTML page which will forward the parameters to the target URL. This is useful for simulating a login to a vulnerable application once a user has submitted their credentials to King Phisher. The page at the target URL must be vulnerable to CSRF type attacks. Once the user has been redirected to the target URL, they will no longer be interacting with the King Phisher server. This means additional login attempts will not be recorded should the first attempt have failed.
A common setup for this type of attack involves two user-crafted pages on the King Phisher server. The first page is a
standard login page with the proper form fields for posting the username
and password
to the King Phisher server.
The first page then submits the credentials to the second page on the King Phisher server (as is necessary for the
credentials to be recorded) which uses the make_csrf_page
Jinja function. This second page then performs any necessary
parameter renaming, and then creates a CSRF form to the target page.
Following a successful attack the victim will start on the King Phisher login page, enter their credentials then be redirected to the legitimate application after "logging in". Once at the legitimate page they will either be logged in if their credentials were correct or presented with the applicable error message as returned by the legitimate login page.
The following example will forward all of the request parameters to the target URL.
{{ make_csrf_page('https://test.king-phisher.local/vulnerable/login', request.parameters) }}
Additional Jinja directives can be used to modify the request parameters if necessary. For example, if the target login
page requires that the username and password be passed in variables that are not logged by King Phisher (for example
login_email
and secretword
), they can be set in the parameters using the Jinja do extension. In the following
example, the target page requires that the username be passed in the login_email
variable, so the do extension is used
to copy the value from username
to login_email
. Using this, the King Phisher server will record the submitted
username, and then copy the value to the login_email
parameter so the target page will function.
{% do
request.parameters.update({
# copy "username" from this request to "login_name" for the next request
'login_name': request.parameters['username']
})
%}
{{ make_csrf_page('https://test.king-phisher.local/vulnerable/login', request.parameters) }}
The following example can be used to create a page which will redirect the visitor using a meta refresh tag.
{{ make_redirect_page('https://www.google.com/', title='Loading Page...') }}
Videos from YouTube can be easily embedded in server content using the embed_youtube_video
function. The function also takes the following optional parameters:
- autoplay (True) - Automatically start playing the video
- enable_js (False) - Enable the Javascript API
- start (0) - The offset at which the video should being playing
- end (None) - The offset at which the video should stop playing
By default the video will start playing automatically. The following is a working excerpt from the provided education template.
<p style="text-align: center;">
{{ embed_youtube_video('oHg5SJYRHA0') }}
</p>
<p style="text-align: center;">Do not become a victim of phishing!<p>
A popular practice is to require users to watch an entire video before they can accept the provided training. King Phisher can facilitate this functionality with the included youtube.js
file under the data directory.
WARNING: There is no functionality to force a user to watch the entire video. YouTube can not prevent users from fast-forwarding or changing the tab.
To configure a server page to require that a video be watched before the training can be accepted:
- The youtube.js file must be included using
<script src="youtube.js"></script>
- The
embed_youtube_video
function must haveenable_js=True
- The desired input HTML element must use the id "trained-input"
The following example illustrates a simple page which embeds a video which must be watched before the "I Agree" button can be pressed by the user.
<!DOCTYPE html>
<html>
<head>
<title>Phishing Awareness</title>
<script src="youtube.js"></script>
</head>
<body>
<div id="wrapper">
<p style="text-align: center;">
{{ embed_youtube_video('oHg5SJYRHA0', enable_js=True) }}
</p>
<p style="text-align: center;">Do not become a victim of phishing!<p>
<form action="./trained.html">
<p style="text-align: center;">
<em>Please click "I Agree" to complete this education.</em>
<input type="hidden" name="trained" value="true">
<input id="trained-input" type="submit" value="I Agree" />
</p>
</form>
</div>
</body>
</html>
SecureState has provided two prerecorded training videos for use in simple awareness exercises. These videos can be embedded into training pages as outlined above.
King Phisher server templates can be configured to require that the user authenticate to the page using basic authentication. In this case, the first time the user visits the page they will be prompted to enter their credentials by the browser and it will be considered the first visit. The contents of a page configured this way will not be displayed until the user has entered both a username and a password; neither can be ommitted or left blank. Once the user has entered their credentials they will be logged in the King Phisher database.
In order for a server page to request basic authentication, it must use Jinja to
set the variable require_basic_auth
to True. Additionaly, an optional realm
can be specified by defining basic_auth_realm
in the template.
The following example requires basic authentication.
{% set require_basic_auth = True %}
{% set basic_auth_realm = 'Please Authenticate' %}
<html>
<body>
Thanks for authenticating!
</body>
</html>