{
	"id": "c88fc3b3-9d3e-4af9-935a-0fa730cce050",
	"created_at": "2026-04-29T02:21:22.207945Z",
	"updated_at": "2026-04-29T08:21:35.881582Z",
	"deleted_at": null,
	"sha1_hash": "db1e499a91987ab4ffe26d98df88d0b4e7dae57c",
	"title": "Evilginx 3.0 + Evilginx Mastery",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 416717,
	"plain_text": "Evilginx 3.0 + Evilginx Mastery\r\nBy Kuba Gretzky\r\nPublished: 2023-05-10 · Archived: 2026-04-29 02:05:36 UTC\r\nThis post has been long coming and I'm glad to finally be able to make it happen!\r\nToday I'm finally releasing Evilginx 3.0, together with Evilginx Mastery online course, into which I've poured\r\neverything I know about Evilginx and how to use it in the most effective manner.\r\nEvilginx hasn't seen any updates for nearly two and a half years. That's why it was a great surprise to me to hear,\r\nthat even though I haven't released any updates, a lot of red teamers still use this tool for phishing simulations with\r\nmany successes. I've been amazed to come across some great posts about Evilginx, like the ones by Jan Bakker,\r\nJeffrey Appel or Pepe Berba.\r\nTalking to people in the industry motivated me to give Evilginx a quality of life refresher, in order to build\r\nstronger foundations for future updates. It's been nearly 6 years, since I've released the first version of Evilginx,\r\nwhich was nothing more than a LUA script for custom version of nginx. Back then I couldn't have foreseen such\r\ngreat reception, the tool would receive, over the years.\r\nIt's a fact, that a lot of people have been struggling to figure out how to properly use Evilginx or create their own\r\nphishlets. Lack of official documentation to guides didn't help and you could only get so far, analyzing public\r\nphishlets and trying to figure out how they work through trial \u0026 error.\r\nAdditionally, to my surprise, during recent years, not many websites have attempted to develop their own\r\ndetections for reverse proxy phishing. I need to actually hand it to Google and Microsoft as they seem to have\r\nbeen one of the few companies doing anything to protect their users against reverse proxy phishing.\r\nAll this will hopefully change today. Here is, in detail, what I've been working on, for the past year, and what I'm\r\ntoday releasing to the public:\r\nEvilginx Mastery Course\r\nPublic version of Evilginx will always remain open-source and free to use. You can use the tool as you see fit. To\r\nfund further development, I decided to publish a paid online course, with which I could demonstrate my whole\r\nknowledge about Evilginx and share hands-on step by step video footage showing how I personally use Evilginx,\r\nmyself.\r\nBig thanks to SEKTOR7 and Rasta Mouse for encouragement to make an attempt in creating an Evilginx course.\r\nThe course is also prepared with defenders in mind. Seeing how little websites do to protect from reverse proxy\r\nphishing, nowadays, I've included tips on what defenders can do to make reverse proxy phishing attacks extremely\r\nhard or nearly impossible to pull off.\r\nhttps://breakdev.org/evilginx-3-0-evilginx-mastery/\r\nPage 1 of 6\n\nIf you decide to purchase the course, thank you in advance and keep in mind that it helps me greatly to continue\r\nworking on Evilginx and will definitely be a great contribution to my levels of motivation.\r\nIf you plan to purchase access to the course for multiple employees in your company, please contact me directly at\r\nkuba@breakdev.org and we can work out a discount.\r\nYou can buy the course online and watch the lessons, at your own pace, whenever you want: Evilginx Mastery -\r\nReverse Proxy MFA Phishing Guide For Red Teams\r\nTo know more about the course, take a look at my attempt to make a promotional video for the course. And yes I\r\nknow how to blink :D\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nEvilginx 3.0\r\nThis version is not delivering flashy big features, but rather it serves as a quality-of-life update. I've fixed\r\nnumerous issues, which have been lingering in Evilginx for a long time and updated some mechanics to make the\r\ntool work better than before.\r\nGitHub: https://github.com/kgretzky/evilginx2\r\nHere are some highlights of what has changed:\r\nImproved TLS certificate management\r\nI've ditched the old GO library for managing LetsEncrypt certificates and switched to well-maintained certmagic\r\nlibrary. This change now allows to perform automated retrieval of TLS certificates, from LetsEncrypt, more\r\nefficiently and most importantly, Evilginx will now automatically renew expiring certificates, so you won't have to\r\never worry about your phishing campaigns expiring without warning.\r\nSession tokens can now be extracted from response body or HTTP Headers\r\nEver since Evilginx was released, I've only considered a single scenario where session tokens are to be transmitted\r\nas HTTP cookies. Over the years, I've learned this approach was wrong, as now it is becoming more and more\r\ncommon for session tokens to be retrieved in JSON packets and later stored as LocalStorage values. This is now\r\nespecially common practice with web applications relying heavily on JavaScript functionality like messenger\r\napplications.\r\nhttps://breakdev.org/evilginx-3-0-evilginx-mastery/\r\nPage 2 of 6\n\nIt is now possible to look for session tokens in HTTP response packets body or in contents of HTTP headers like\r\nthe Authorization header.\r\nI've covered how to handle such scenario in one of the training labs from Evilginx Mastery course.\r\nExample phishlets no longer available in main repository\r\nMy main goal has always been to deliver a reverse proxy phishing framework for red teamers. The provided\r\nexample phishlets were always meant to serve as a learning material to learn how to make your own phishlets.\r\nKeeping them updated, was honestly an impossible feat. This is why I've made a decision to cease support for\r\nexample phishlets in the main Evilginx repository.\r\nPhishlets get outdated and stop working relatively fast and I always wanted to focus on developing the framework,\r\nrather then keeping the example phishlets constantly up-to-date. I encourage everyone to set up their own\r\nrepositories with phishlets they want to share with the community. My priority now is to put effort into teaching\r\npeople how to create their own phishlets.\r\nOnce I find several contributors, who may want to work on several phishlets for fun, I may set up a new repository\r\njust for aggregating several working and tested phishlets, made by others, and later have it integrated somehow\r\nwith Evilginx installations.\r\nPhishing pages can now be embedded within iframes\r\nFew months ago, the legendary mr.d0x, released amazing research on BITB (browser-in-the-browser) phishing,\r\nwhere you could create a fake popup window, with JavaScript, showing a spoofed URL in fake address bar. I liked\r\nthe idea so much that I really wanted to see it working with Evilginx.\r\nDisplaying phishing pages in iframes turned out to not be supported, by default. Now you can fully enjoy\r\ndisplaying your phishing page within iframes. Just make sure to fully rewrite the default BITB templates as they\r\nhave been heavily flagged by Google as malicious content.\r\nAlso make sure to check out mr.d0x courses on Malware Development!\r\nConfiguration format changed to JSON\r\nEvilginx configuration file was stored originally in YAML format. JSON, overall, is a much better option, with its\r\nsyntax being easier to use than YAML, but maybe a bit harder to read. Nevertheless, with config file in JSON\r\nformat, it will be easier to write custom deployment scripts, handling dynamic generation of configuration files.\r\nPhishlets will remain in YAML format.\r\nPhishing sessions are now created always when valid lure URL is opened\r\nEvilginx would whitelist IP addresses of every target, making requests to valid lure URLs. This is required to later\r\nallow the proxying of requests, which cannot contain Evilginx session cookies, due to web browsers not allowing\r\nsome requests to transmit cookies.\r\nhttps://breakdev.org/evilginx-3-0-evilginx-mastery/\r\nPage 3 of 6\n\nThe bug in Evilginx would prevent creation of new reverse proxy sessions for valid lure URLs coming from IP\r\naddresses, which have already been whitelisted.\r\nIn 3.0 update, every time a target opens a valid lure URL, they will be assigned a new reverse proxy session. This\r\nfix will also make it possible to properly track the clicks to your lure URLs.\r\nChild phishlets derived from phishlet templates\r\nOne of the problematic issues Evilginx users have encountered was targeting websites, which were hosted under\r\ncustomized hostnames.\r\nSay you wanted to target a specific company's Okta portal, hosted on evilcorp.okta.com domain. To target\r\ncustom domains, you'd have to manually edit the phishlet file and put the hardcoded evilcorp.okta.com into it.\r\nWith the phishlet templates feature, instead of having to modify a phishlet file manually, every time you'd need to\r\ntarget a different hostname, now you can create a phishlet template for Okta, setting up a placeholder for custom\r\nvariables in your phishlet file e.g. {subdomain}.okta.com .\r\nHaving such template, whenever you'd need to target a specific hostname, you could just create a child phishlet as\r\na derivative from your phishlet template and specify subdomain=evilcorp , as an example. Such created child\r\nphishlet can be then used as a normal phishlet with its own personalized setup.\r\nYou can learn how to create and use phishlet templates in my Evilginx Mastery course, as well.\r\nURL redirection with JavaScript\r\nOriginally when all session tokens have been successfully captured, Evilginx would redirect the user to\r\npreconfigured redirect_url URL through HTTP Location header. I found this solution to not be ideal, since\r\nthis approach exposed the phishing URL to destination website, through Referer header, when redirection took\r\nplace.\r\nSince 3.0, the redirection will happen via JavaScript injected into text/html content of the next web page,\r\nloaded after all session tokens have been captured. This approach will avoid populating the Referer header with\r\nyour phishing URL. There is still one issue with redirecting the user if the website does not load any new pages\r\nafter successful sign-in. This I will try to tackle in future updates.\r\nLicense changed from GPL to BSD-3\r\nIn short - GPL requires to redistribute the tool with full source code. BSD-3 is more permissive, allowing to\r\nredistribute the tool without it.\r\nChangelog\r\nThe full changelog for Evilginx 3.0 is as follows:\r\nFeature: TLS certificates from LetsEncrypt will now get automatically renewed.\r\nhttps://breakdev.org/evilginx-3-0-evilginx-mastery/\r\nPage 4 of 6\n\nFeature: Automated retrieval and renewal of LetsEncrypt TLS certificates is now managed by certmagic\r\nlibrary.\r\nFeature: Authentication tokens can now be captured not only from cookies, but also from response body\r\nand HTTP headers.\r\nFeature: Phishing pages can now be embedded inside of iframes.\r\nFeature: Changed redirection after successful session capture from Location header redirection to\r\ninjected Javascript redirection.\r\nFeature: Changed config file from config.yaml to config.json , permanently changing the\r\nconfiguration format to JSON.\r\nFeature: Changed open-source license from GPL to BSD-3.\r\nFeature: Added always modifier for capturing authentication cookies, forcing to capture a cookie even if\r\nit has no expiration time.\r\nFeature: Added phishlet \u003cphishlet\u003e command to show details of a specific phishlet.\r\nFeature: Added phishlet templates, allowing to create child phishlets with custom parameters like pre-configured subdomain or domain. Parameters can be defined anywhere in the phishlet file as\r\n{param_name} and every occurence will be replaced with pre-configured parameter values of the created\r\nchild phishlet.\r\nFeature: Added phishlet create command to create child phishlets from template phishlets.\r\nFeature: Renamed lure templates to lure redirectors due to name conflict with phishlet templates.\r\nFeature: Added {orig_hostname} and {orig_domain} support for sub_filters phishlet setting.\r\nFeature: Added {basedomain} and {basedomain_regexp} support for sub_filters phishlet setting.\r\nFixed: One target can now have multiple phishing sessions active for several different phishlets.\r\nFixed: Cookie capture from HTTP packet response will not stop mid-term, ignoring missing opt cookies,\r\nwhen all authentication cookies are already captured.\r\nFixed: trigger_paths regexp will now match a full string instead of triggering true when just part of it is\r\ndetected in URL path.\r\nFixed: Phishlet table rows are now sorted alphabetically.\r\nFixed: Improved phishing session management to always create a new session when lure URL is hit if\r\nsession cookie is not present, even when IP whitelist is set.\r\nFixed: WebSocket connections are now properly proxied.\r\nEvilginx Online Documentation\r\nAs Evilginx kept growing it become harder and harder to keep up with all the features. GitHub Wiki kind of\r\nworked to, at least, provide documentation for the latest phishlet format, but I've never been fully satisfied with it.\r\nI've always wanted the documentation to be easily accessible, well structured, easy to navigate and to have a\r\nquality look \u0026 feel. I can happily say, I may've found the perfect solution with Docusaurus.\r\nEvilginx most up-to-date documentation, since today, will always be accessible through one official URL:\r\nhttps://help.evilginx.com\r\nCheck it out!\r\nhttps://breakdev.org/evilginx-3-0-evilginx-mastery/\r\nPage 5 of 6\n\nI honestly think, now with Evilginx having proper documentation, it will become much easier for everyone to use.\r\nI strongly hope you make good use of it! I'm often using it myself when I forget how the tool I made is supposed\r\nto work :P\r\nClosing thoughts\r\nThe last 6 years have been a wild ride and I can't thank everyone enough for giving Evilginx a shot. I've never\r\nexpected a tool, based on a simple idea, would eventually become a tool people use at work, to simulate phishing\r\nattacks. Mention of Evilginx even made it to TechCrunch, at one point.\r\nI really hope Evilginx will continue to serve its purpose in aiding you during your phishing engagements. Thank\r\nyou, again, and if you decide to give Evilginx Mastery course a try, accept my eternal gratitude!\r\nTo end with a cliffhanger, I will say that Evilginx story is not over and there may be Evilginx Pro in the works,\r\nwith some special features I decided to keep private for now. The pro version will most likely be licensed only to\r\ncybersecurity companies. Some of you may find mentions about private features in the official online\r\ndocumentation.\r\nFor updates follow me on Twitter @mrgretzky and Mastodon @mrgretzky@infosec.exchange.\r\nIf you have any inquires about company discounts or if you require any custom functionality in Evilginx, you can\r\nalways contact me directly at: kuba@breakdev.org.\r\nAs always - enjoy and stay tuned!\r\nEvilginx Mastery - Available NOW\r\nSource: https://breakdev.org/evilginx-3-0-evilginx-mastery/\r\nhttps://breakdev.org/evilginx-3-0-evilginx-mastery/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://breakdev.org/evilginx-3-0-evilginx-mastery/"
	],
	"report_names": [
		"evilginx-3-0-evilginx-mastery"
	],
	"threat_actors": [],
	"ts_created_at": 1777429282,
	"ts_updated_at": 1777450895,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db1e499a91987ab4ffe26d98df88d0b4e7dae57c.pdf",
		"text": "https://archive.orkl.eu/db1e499a91987ab4ffe26d98df88d0b4e7dae57c.txt",
		"img": "https://archive.orkl.eu/db1e499a91987ab4ffe26d98df88d0b4e7dae57c.jpg"
	}
}