diff --git a/README.md b/README.md index 36e4c8a9..464d973b 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ Until then, you can keep up-to-date with development news and articles on [my bl Installation of gophish is dead-simple - once the binaries are released (coming soon!), just download and extract the zip, and run the binary. Gophish will have binary releases for all platforms. ###Setup -After running the gophish binary, open an Internet browser to http://localhost:3333 and follow the setup instructions. +After running the gophish binary, open an Internet browser to http://localhost:3333 and login with the default username (admin) and password (gophish). ###License gophish - Open-Source Phishing Framework diff --git a/controllers/api.go b/controllers/api.go index 8e6b1060..58630ffd 100644 --- a/controllers/api.go +++ b/controllers/api.go @@ -34,7 +34,7 @@ func API(w http.ResponseWriter, r *http.Request) { // API (/api/reset) resets a user's API key func API_Reset(w http.ResponseWriter, r *http.Request) { switch { - case r.Method == "GET": + case r.Method == "POST": u := ctx.Get(r, "user").(models.User) // Inspired from gorilla/securecookie k := make([]byte, 32) diff --git a/controllers/route.go b/controllers/route.go index d38d1d8b..7f429f50 100644 --- a/controllers/route.go +++ b/controllers/route.go @@ -11,11 +11,12 @@ import ( "github.com/jordan-wright/gophish/auth" mid "github.com/jordan-wright/gophish/middleware" "github.com/jordan-wright/gophish/models" + "github.com/justinas/nosurf" ) var templateDelims = []string{"{{%", "%}}"} -func CreateRouter() *mux.Router { +func CreateRouter() *nosurf.CSRFHandler { router := mux.NewRouter() // Base Front-end routes router.HandleFunc("/login", Login) @@ -37,7 +38,12 @@ func CreateRouter() *mux.Router { //Setup static file serving router.PathPrefix("/").Handler(http.FileServer(http.Dir("./static/"))) - return router + + //Setup CSRF Protection + csrfHandler := nosurf.New(router) + csrfHandler.ExemptGlob("/api/*") + csrfHandler.ExemptGlob("/static/*") + return csrfHandler } // Use allows us to stack middleware to process the request @@ -113,7 +119,8 @@ func Login(w http.ResponseWriter, r *http.Request) { User models.User Title string Flashes []interface{} - }{Title: "Login"} + Token string + }{Title: "Login", Token: nosurf.Token(r)} session := ctx.Get(r, "session").(*sessions.Session) switch { case r.Method == "GET": diff --git a/templates/api_doc.html b/templates/api_doc.html index a0858438..13f996a3 100644 --- a/templates/api_doc.html +++ b/templates/api_doc.html @@ -1,4 +1,4 @@ -{{%define "content"%}} {{%template "nav"%}} +{{%define "content"%}} {{%template "nav" .User%}}

diff --git a/templates/login.html b/templates/login.html index 559c5de9..175d2dba 100644 --- a/templates/login.html +++ b/templates/login.html @@ -9,6 +9,7 @@ +

diff --git a/templates/settings.html b/templates/settings.html index 0bf739d3..f0fb9be3 100644 --- a/templates/settings.html +++ b/templates/settings.html @@ -38,10 +38,12 @@

- +
- - +
+ + +