{"id":13376132,"url":"https://github.com/drk1wi/modlishka","last_synced_at":"2026-01-14T11:50:42.133Z","repository":{"id":38326051,"uuid":"162460220","full_name":"drk1wi/Modlishka","owner":"drk1wi","description":"Modlishka. Reverse Proxy.  ","archived":false,"fork":false,"pushed_at":"2025-05-18T15:46:23.000Z","size":3540,"stargazers_count":4980,"open_issues_count":11,"forks_count":895,"subscribers_count":141,"default_branch":"master","last_synced_at":"2025-05-18T16:35:13.195Z","etag":null,"topics":["mitm","penetration-testing-tools","phishing","reverse-proxy","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/drk1wi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-12-19T15:59:54.000Z","updated_at":"2025-05-18T15:28:06.000Z","dependencies_parsed_at":"2023-01-28T16:00:20.378Z","dependency_job_id":"f18e0a8a-364d-44f8-8a78-835a3a9cb42f","html_url":"https://github.com/drk1wi/Modlishka","commit_stats":{"total_commits":102,"total_committers":14,"mean_commits":7.285714285714286,"dds":0.303921568627451,"last_synced_commit":"e46dcfd4e544146057c3a5666ea5ca247bc3d979"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/drk1wi/Modlishka","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drk1wi%2FModlishka","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drk1wi%2FModlishka/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drk1wi%2FModlishka/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drk1wi%2FModlishka/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/drk1wi","download_url":"https://codeload.github.com/drk1wi/Modlishka/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drk1wi%2FModlishka/sbom","scorecard":{"id":356409,"data":{"date":"2025-08-11","repo":{"name":"github.com/drk1wi/Modlishka","commit":"0348d52fba6fd382239e359b76072301f56d89c4"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.7,"checks":[{"name":"Dangerous-Workflow","score":0,"reason":"dangerous workflow patterns detected","details":["Warn: untrusted code checkout '${{ github.event.pull_request.head.sha }}': .github/workflows/reviewdog.yml:14"],"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":4,"reason":"4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":1,"reason":"Found 5/30 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/reviewdog.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v.1.1.0 not signed: https://api.github.com/repos/drk1wi/Modlishka/releases/17485785","Warn: release artifact v.1.0.0 not signed: https://api.github.com/repos/drk1wi/Modlishka/releases/14762530","Warn: release artifact v.1.1.0 does not have provenance: https://api.github.com/repos/drk1wi/Modlishka/releases/17485785","Warn: release artifact v.1.0.0 does not have provenance: https://api.github.com/repos/drk1wi/Modlishka/releases/14762530"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":7,"reason":"dependency not pinned by hash detected -- score normalized to 7","details":["Warn: containerImage not pinned by hash: extra/docker/Dockerfile:1: pin your Docker image by updating golang:alpine to golang:alpine@sha256:244baa35bcfaf9a5b3444519df6d42554a1f92dc33820bd98f0662df270d8a6a","Info:   2 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of   3 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 7 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T09:43:10.904Z","repository_id":38326051,"created_at":"2025-08-18T09:43:10.904Z","updated_at":"2025-08-18T09:43:10.904Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28419267,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T10:47:48.104Z","status":"ssl_error","status_checked_at":"2026-01-14T10:46:19.031Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["mitm","penetration-testing-tools","phishing","reverse-proxy","security-tools"],"created_at":"2024-07-30T05:02:26.816Z","updated_at":"2026-01-14T11:50:42.127Z","avatar_url":"https://github.com/drk1wi.png","language":"Go","funding_links":[],"categories":["\u003ca id=\"1a9934198e37d6d06b881705b863afc8\"\u003e\u003c/a\u003e通信\u0026\u0026代理\u0026\u0026反向代理\u0026\u0026隧道","\u003ca id=\"01e6651181d405ecdcd92a452989e7e0\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"a136c15727e341b9427b6570910a3a1f\"\u003e\u003c/a\u003e反向代理\u0026\u0026穿透","\u003ca id=\"e9f97504fbd14c8bb4154bd0680e9e62\"\u003e\u003c/a\u003e反向代理"],"readme":"# ..Modlishka..\n\n![License](https://img.shields.io/badge/license-Author-blue.svg)\n![Platform](https://img.shields.io/badge/platform-Windows%20%7C%20macOS%20%7C%20Linux%20%7C%20BSD-lightgrey.svg)\n![Build Status](https://github.com/drk1wi/Modlishka/actions/workflows/reviewdog.yml/badge.svg)\n![Go Version](https://img.shields.io/badge/go-1.24%2B-00ADD8.svg)\n\nModlishka is an open-source penetration testing tool that acts as a man-in-the-middle proxy. It introduced a new technical approach to handling browser-based HTTP traffic flow, which allows it to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without requiring the installation of any additional certificate on the client.\n\nIn 2019, Modlishka was the first publicly released research tool to demonstrate a novel Adversary-in-the-Middle (AitM) technique capable of bypassing many common 2FA implementations — with the goal of raising awareness and improving real-world defenses.\n\n\u003e **Note:** This project is intended strictly for authorized research and professional security testing.\n\n## Use Cases\n\n**Security Testing:**\n- Ethical phishing penetration tests with transparent, automated reverse proxy and universal 2FA bypass support\n- Highlight [2FA](https://blog.duszynski.eu/phishing-ng-bypassing-2fa-with-modlishka/) scheme weaknesses to drive better industry security solutions\n\n**General:**\n- Wrap legacy websites with TLS\n- Confuse crawler bots and automated scanners\n- Universal transparent reverse proxy for other projects\n\n## Features\n\n**General:**\n- Point-and-click HTTP and HTTPS reverse proxying of arbitrary domains\n- Full control of cross-origin TLS traffic flow without client certificate installation\n- Easy configuration through command line options and JSON configuration files\n- Pattern-based JavaScript payload injection\n- TLS wrapping, authentication, and security headers for legacy websites\n- Stateless design for easy scaling via DNS load balancer\n- Extensible through modular plugins\n- Automatic TLS certificate generation plugin (requires self-signed CA)\n- Cross-platform: Windows, macOS, Linux, BSD\n\n**Security:**\n- Support for majority of 2FA authentication schemes out of the box\n- [Client Domain Hooking](https://blog.duszynski.eu/client-domain-hooking-in-practice/) attack implementation with diagnostic plugin\n- User credential harvesting with URL parameter-based context\n- Web panel plugin for credential management and session impersonation (beta)\n- No website templates required — automatic handling in most cases\n\n## Demo\n\nModlishka in action against an example 2FA scheme (SMS-based bypass):\n\n[![Demo](https://img.shields.io/badge/Watch-Demo-red.svg)](https://vimeo.com/308709275)\n\n## Installation\n\nLatest source code: [zip](https://github.com/drk1wi/modlishka/zipball/master) | [tar](https://github.com/drk1wi/modlishka/tarball/master)\n\n**Using go install:**\n```bash\ngo install github.com/drk1wi/Modlishka@latest\n```\n\n**Manual build:**\n```bash\ngit clone https://github.com/drk1wi/Modlishka.git\ncd Modlishka\nmake\n```\n\n## Usage\n\n```\n./dist/proxy -h\n\nUsage of ./dist/proxy:\n\n  -cert string\n      base64 encoded TLS certificate\n  -certKey string\n      base64 encoded TLS certificate key\n  -certPool string\n      base64 encoded Certification Authority certificate\n  -config string\n      JSON configuration file. Convenient instead of using command line switches.\n  -controlCreds string\n      Username and password to protect the credentials page. user:pass format\n  -controlURL string\n      URL to view captured credentials and settings. (default \"SayHello2Modlishka\")\n  -credParams string\n      Credential regexp with matching groups. e.g.: base64(username_regex),base64(password_regex)\n  -debug\n      Print debug information\n  -disableSecurity\n      Disable proxy security features like anti-SSRF. Disable at your own risk.\n  -disableDynamicSubdomains\n      Translate URL domain names to be the proxy domain\n  -dynamicMode\n      Enable dynamic mode for 'Client Domain Hooking'\n  -forceHTTP\n      Strip all TLS from the traffic and proxy through HTTP only\n  -forceHTTPS\n      Strip all clear-text from the traffic and proxy through HTTPS only\n  -allowSecureCookies\n      Allow secure cookies to be set. Useful when using HTTPS and cookies have SameSite=None\n  -ignoreTranslateDomains string\n      Comma separated list of domains to never translate and proxy\n  -jsRules string\n      Comma separated list of URL patterns and JS base64 encoded payloads that will be injected\n      e.g.: target.tld:base64(alert(1))\n  -listeningAddress string\n      Listening address (default \"127.0.0.1\")\n  -listeningPortHTTP int\n      Listening port for HTTP requests (default 80)\n  -listeningPortHTTPS int\n      Listening port for HTTPS requests (default 443)\n  -log string\n      Local file to which fetched requests will be written (appended)\n  -pathHostRules string\n      Comma separated list of URL path patterns and target domains\n      e.g.: /path/:example.com,/path2:www.example.com\n  -plugins string\n      Comma separated list of enabled plugin names (default \"all\")\n  -postOnly\n      Log only HTTP POST requests\n  -proxyAddress string\n      Proxy that should be used (socks/https/http) e.g.: http://127.0.0.1:8080\n  -proxyDomain string\n      Proxy domain name that will be used e.g.: proxy.tld\n  -rules string\n      Comma separated list of string patterns and their replacements\n      e.g.: base64(old):base64(new),base64(older):base64(newer)\n  -staticLocations string\n      Comma separated list of FQDNs in location headers that should be preserved\n  -target string\n      Target domain name e.g.: target.tld\n  -targetRes string\n      Comma separated list of domains that were not translated automatically\n      e.g.: static.target.tld\n  -terminateTriggers string\n      Comma separated list of URLs from target's origin which will trigger session termination\n  -terminateUrl string\n      URL to which a client will be redirected after session termination\n  -trackingCookie string\n      Name of the HTTP cookie used to track the client (default \"id\")\n  -trackingParam string\n      Name of the HTTP parameter used to track the client (default \"id\")\n```\n\n## Commercial Usage\n\nModlishka is licensed under [this License](https://raw.githubusercontent.com/drk1wi/Modlishka/master/LICENSE).\n\nFor commercial applications, please contact the author for licensing arrangements.\n\n## Credits\n\nAuthor: Modlishka was designed and implemented by Piotr Duszyński ([@drk1wi](https://twitter.com/drk1wi)). All rights reserved.\n\nSee the list of [contributors](https://github.com/drk1wi/Modlishka/graphs/contributors) who participated in this project.\n\n## Disclaimer\n\nThis tool is made only for educational purposes and can be used in legitimate penetration tests or research only. Author does not take any responsibility for any actions taken by its users.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrk1wi%2Fmodlishka","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdrk1wi%2Fmodlishka","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrk1wi%2Fmodlishka/lists"}