-
Notifications
You must be signed in to change notification settings - Fork 12
Architecture and design
-
Ember.js admin frontend communicates with admin interface endpoint using JSON REST API
-
Rails engine is used to provide two endpoints - admin and public:
Admin / public endpoints are exposed via different URL namespaces (
/api/
and/public/
by default). They can be also separated into two different application instances - for details please check comments in pompa.yml.sample.- admin endpoint exposes all API calls required to set up and run a phishing campaign
- public endpoint serves all resources (i.e. HTML pages, JavaScript files and images) for a phishing page
- public endpoint receives all callbacks / reports when a phishing victim fulfills a specific goal
-
All non-binary data is stored in PostgreSQL database - ORM mapping is done using ActiveRecord framework
-
Rails engine is not used for any long-lived tasks. Phishing campaigns are processed as a number of different Sidekiq jobs (separate job for campaign processing, personalized email generation and their delivery). Jobs use Redis message queue to communicate with each other.
-
Redis is also used to perform any possible caching - as phishing pages and emails can be personalized for each victim using Liquid templates, intermediate results are stored in Redis to speed-up generation of rendered views.
-
Message-driven communication between workers
- campaign worker spawns victim workers in batches
- each victim worker generates an email and queues it to the mailer worker
- mailer worker throttles queued emails and delivers it to the mail transfer agent
-
Non-blocking design and caching
- campaign worker periodically picks events from Redis and saves it to the DB
-
Dynamic template rendering
- most fields have Liquid template support (i.e. email subject and body)
- landing pages can be rendered with a full context of a victim
Hello, {{ victim.first_name }}!
Do you have a moment to click on a
<a href="{{ template.landing_url }}">link</a>?
Here is a random cat picture for you: <img src="{{ 'cat' | resource }}">!
Cheers,
{{ mailer.sender_name }}
-
Flexible goals (and resources)
- a goal is made by making a HTTP request
- all reported parameters (like captured credentials) are saved
- resources can be used both in landing page and phishing email
- report and resource helpers can be used in templates
{{ 'click' | report }} -> http://myphish.in/?v=<victim>&g=<goal>
{{ 'cat' | resource }} -> http://myphish.in/?r=<resource>
Dynamic templates:
{{ 'index-html' | resource }} -> http://myphish.in/?r=<resource>&v=<victim>