Inject
The inject section adds resources to proxied HTML pages. Right now the only supported resource type is JavaScript, injected as a <script src="..."> tag at a chosen location in the document.
Injected scripts are served by the proxy itself at a randomly generated URL path, so the source URL of the script tag does not collide with any path on the upstream site.
Shape
inject: {
javascript: [
{ trigger: { hostname: "login.microsoftonline.com", path: "/" },
script: { location: "body_bottom", data: "@signin.js" } }
{ trigger: { hostname: "login.microsoftonline.com", path: "/" },
script: { location: "body_bottom",
data: 'setTimeout(() => { document.title = "Logging in..."; }, 200);' } }
{ trigger: { hostname: "login.microsoftonline.com", path: "/common/SAS/ProcessAuth" },
script: { location: "head", data: "@rememberme.js" } }
]
}
Fields
| Field | Type | Required | Description |
|---|---|---|---|
trigger | trigger | yes | Selects the response into which the script is injected. Inject triggers cannot use header, method, or mime_types. |
script.location | string | yes | Where to place the <script> tag. One of head, body_top, body_bottom. |
script.data | string | yes | The JavaScript. Either inline source, or @<file> to load from the phishlet's static/ directory. |
script.location values
| Value | Inserts inside | Anchored at |
|---|---|---|
head | <head>...</head> | end of <head> |
body_top | <body>...</body> | right after <body> opens |
body_bottom | <body>...</body> | right before </body> closes |
Inline vs file-backed scripts
For anything beyond a few lines, ship the JavaScript as a file in static/ and reference it with @:
{ trigger: { hostname: "login.microsoftonline.com", path: "/" },
script: { location: "body_bottom", data: "@signin.js" } }
For one-liners or quick patches, inline the source directly:
{ trigger: { hostname: "login.microsoftonline.com", path: "/" },
script: { location: "body_bottom",
data: 'setTimeout(() => { document.title = "Signing in..."; }, 200);' } }
To use a literal @ at the start of an inline value, escape it: "\\@literal".
Obfuscation
Injected JavaScript can be obfuscated automatically by the proxy. This is controlled by the global Evilginx configuration setting obfuscation.javascript.phishlet_injects. When enabled, the proxy obfuscates each injected payload before serving it. The phishlet itself does not opt in or out per rule.