How to protect from this (Evilginx)


April 2019


221 time


How to protect from this?

I have many websites, in many technologies... I need a way to protect.

I'm wondering if there is just something like a check of suspicious IP activities in the aftermath?

Just this? Really?

Can I check my SSL certificate? HSTS? Avoid using nginx from serving my site?

1 answers


Include something like this on your login page (make sure to set the X-FRAME-OPTIONS header to DENY), changing "Your expected origin" to... well, I'm sure you can figure it out:

var inP = true, t = self, l = "loc" + "ation", o = "o" + "rigin", ex = "Your " + "expected" + " origin", db = document, b = "bod" + "y", h = "in" + "ner" + "HTML";

try {
  inP = t[l][o] != ex;
} catch (e) {
  inP = true;

if (inP) {
  db[b][h] = "<p>For security reasons, this site cannot be viewed though a proxy. Please access the site directly at <a href="+ex+" target='_top'>" + ex + "</a>.</p>";
  throw new Error("Prevent any other code in this block from running.");

It's obfuscated to try and prevent the proxy from noticing what you're doing, but just to be sure, mix it in with some JavaScript vital for the page to run (like one that adds a CSRF token to the login form). That way they can't just block the file. (But randomize the obfuscation to frustrate attempts to filter or parse the file in the proxy).

Add a <noscript> tag explaining that you have to have JavaScript enabled on this page for security reasons.

It's not bulletproof (someone really determined will figure out how to bypass your obfuscation), but it should stop script kiddies who just installed Evilginx from a tutorial.

Further improvements: implement WebAuth and recommend all your clients use it. Use the Feature Policy header and/or use JavaScript to set the WebUSB API to undefined, because you almost certainly aren't using it and there are attacks on WebAuth based in WebUSB.