Modlishka is a powerful and flexible HTTP reverse proxy. It implements an entirely new approach of handling HTTP traffic flow, which allows to transparently proxy multi-domain destination TLS traffic over a single domain TLS certificate in an automated manner. What does this exactly mean? In short, it simply has a lot of potential, that can be used in many interesting ways...

From the security perspective, Modlishka can be currently used to:
- Hijack application HTTP TLS traffic flow through the "Client Domain Hooking" attack.
- Help penetration testers to carry out a modern ethical phishing campaign that requires a universal 2FA “bypass” support.
- Wrap legacy websites with TLS layer, confuse crawler bots and automated scanners, etc.
- TBC.

Modlishka was primarily written for security related tasks. Nevertheless, it can be helpful in other, non-security related, usage scenarios.

Key Features:

**General:**
- Point-and-click HTTP and HTTPS reverse proxying of an arbitrary domain.
- Full control of "cross" origin TLS traffic flow from your users browses (through a set of new interesting techniques).
- Easy and fast configuration through command line options and JSON configuration files.
- Practical implementation of the "Client Domain Hooking" attack. Supported with a diagnostic plugin.
- Pattern based JavaScript payload injection.
- Wrapping websites with an extra "security": TLS wrapping, authentication, relevant security headers, etc.
- Striping websites from all encryption and security headers (back to 90's MITM style).
- Stateless design. Can be scaled up easily to handle an arbitrary amount of traffic - e.g. through a DNS load balancer.
- Can be extended easily with your ideas through modular plugins.
- Automatic TLS certificate generation plugin for the proxy domain (requires a self-signed CA certificate)
- Written in Go, so it works basically on all platforms and architectures: Windows, OSX, Linux, BSD supported...

**Security related:**
- "[Client Domain Hooking]" attack in form of a diagnostic module.
- Support for majority of 2FA authentication schemes (out of the box).
- User credential harvesting (with context based on URL parameter passed identifiers).
- Web panel plugin with a summary of automatically collected credentials and one-click user session impersonation module (beta POC).
- No website templates (just point Modlishka to the target domain - in most cases, it will be handled automatically without any additional manual configuration).
----------------------------------------------------------------------------
IMPORTANT:
Within your purchase, I'll give you the tool + quick rundown of how this tool can help you bypass most of the 2FA authentication schemes used today, including intercepting OTP tokens and hijacking post-authentication user sessions.