Skip to content

Templates, data model and helpers

m1nl edited this page Oct 22, 2019 · 5 revisions

Liquid templates in Pompa

Pompa is using Liquid templates in order to provide a flexible way to create customized phishing campaigns. Liquid templates can be inputted in many fields in the phishing template. Each field, which accepts Liquid syntax, is annotated in the web interface. Full reference for the Liquid template syntax can be found here.

When a given field is rendered in the context of a phishing victim, a data model is passed to the Liquid template engine. The data model includes fields, which describe victim and all related entities. Pompa builds the data model by serializing database objects into a hash, which can be also expressed in JSON format. A sample data model is provided below for a reference.

{
  "victim": {
    "id": 45098,
    "first_name": "Seth",
    "last_name": "Robinson",
    "display_name": "Seth Robinson",
    "gender": null,
    "department": null,
    "email": "root@nalewajski.pl",
    "comment": null,
    "code": "VjsXlhsUig",
    "state": "error",
    "sent_date": null,
    "message_id": "f96694fe-c301-40fa-8e11-a55eb5e1b6d5@nalewajski.pl",
    "last_error": "SocketError: getaddrinfo: Name or service not known",
    "error_count": 1,
    "scenario_id": 46,
    "target_id": 25903
  },
  "scenario": {
    "id": 46,
    "model": null,
    "campaign_id": 23,
    "template_id": 1,
    "mailer_id": 10,
    "group_id": 1
  },
  "campaign": {
    "id": 23,
    "name": "asdadas",
    "description": "test",
    "model": null,
    "start_date": null,
    "started_date": "2018-08-27T00:00:00.000Z",
    "finish_date": null,
    "finished_date": null,
    "state": "paused"
  },
  "group": {
    "id": 1,
    "name": "Test",
    "description": null
  },
  "template": {
    "id": 1,
    "name": "Test",
    "description": "xx",
    "sender_email": "root@nalewajski.pl",
    "sender_name": null,
    "base_url": "http://localhost:3000/api/public",
    "landing_url": "http://localhost:3000/api/public/?r=2MlLrepW&v=VjsXlhsUig",
    "subject": "Hello Seth Robinson!",
    "plaintext": "Test",
    "html": "<a href=\"http://localhost:3000/api/public/?r=2MlLrepW&v=VjsXlhsUig\">Click me!</a>"
  }
}

As you can see, the subject for an email is fully customized. This effect can be achieved by inputting the following template into the subject field, in the web interface.

Hello {{ victim.display_name }}!

Custom Liquid helpers

In order to provide a better user experience, Pompa provides several custom Liquid helpers, which enable you to generate URLs for various resources or phishing campaign goals.

Flexible resource management

Pompa can be considered as a very compact CMS, which enables you to upload a number of resources and access them in a comfortable way. The public endpoint allows you to access a given resource by providing its code.

When the public endpoint is exposed on hxxp://localhost/, you can access any resource using its code by querying the API with r parameter. That gives you the following URL for a sample resource hxxp://localhost/api/public/?r=eKDYuFNn .

The author understands that querying the resource using its name is way more elegant and intuitive. That is why, Pompa provides a custom Liquid helper, which transforms a name of a resource into URL. It combines the Base URL of a template, which is equivalent to the public endpoint address, with a resource code and returns a full address of a given resource.

{{ 'logo-png' | resource }}             -> hxxp://localhost/api/public/?r=eKDYuFNn
<img src="{{ 'logo-png' | resource }}"> -> <img src="hxxp://localhost/api/public/?r=eKDYuFNn">

One can say that this syntax cannot be used to embed images in the e-mails in an effective way. That is why, Pompa provides another helper, which transforms resource name into CID identifier and embeds the image as another MIME part of the e-mail.

{{ 'logo-png' | embed }}              -> cid:eKDYuFNn
<img src="{{ 'logo-png' | embed }}">  -> <img src="cid:eKDYuFNn">

Another promising feature of Pompa is a mechanism, which enables you upload any file containing Liquid template language. This allows you to include custom CSS, JS and other stuff in the phishing landing page by referencing their names. Of course, on top of that, you can still access all fields of the basic data model for a phishing victim.

You can use the following syntax to include CSS resources in the landing page HTML.

<title>Free coupons!</title>
<link href="{{ 'bootstrap-css' | resource }}" rel="stylesheet"/>
<link href="{{ 'theme-css' | resource }}" rel="stylesheet"/>

You can also render the content of a resource directly, using render helper.

<script>{{ 'custom-js' | render }}</script>
Arbitrary URL path

You can provide an additional argument to resource helper, which enables you to add an arbitrary path to the resource URL. This feature can be used to mimic a well-known URL, used by a legitimate application.

<a href="{{ 'login-html' | resource: 'jira/login.jsp' }}">Login</a>
File downloads

You can provide another argument to resource helper, which enables you to force a browser to download a file with a custom filename. Internally, it uses content-disposition header to make browser download the file instead of rendering it.

{% assign filename = victim.display_name | append: '.exe' %}<a href="{{ 'malware-exe' | resource: 'readme.txt', filename }}">Click me!</a>

Flexible goal management

As mentioned before, goals in Pompa are plain HTTP requests, made in a context of a phishing victim. In order to report that a specific goal has been fulfilled, a request containing goal and victim codes has to be made.

When the public endpoint is exposed on hxxp://localhost/, you can report that a goal has been fulfilled by querying the API with g and v parameters. That gives you the following URL for a sample report hxxp://localhost/?g=wwDvU7ie&v=iH701kjsvg .

Again, the author understands that reporting a goal using its name is way more elegant and intuitive. That is why, Pompa provides a custom Liquid helper, which transforms a name of a goal into URL. It combines the Base URL of a template, which is equivalent to the public endpoint address, with goal and victim codes and returns a full address for a given report.

{{ 'View a message' | report }}             -> hxxp://localhost/?g=wwDvU7ie&v=iH701kjsvg
<img src="{{ 'View a message' | report }}"> -> <img src="hxxp://localhost/?g=wwDvU7ie&v=iH701kjsvg">

Pompa dynamically recognizes, when a given report is requested as an image and serves a blank pixel in a requested format (PNG / JPG / GIF). Otherwise, an empty document is returned. When a POST request is made to the report URL, Pompa records all query parameters. It allows you to record any specific data for further analysis.

For tracking e-mail / page open events, Pompa provides you a specialized helper for creating "invisible" tracking pixels.

{{ 'View a message' | track }} -> <img src="hxxp://localhost/?g=wwDvU7ie&v=iH701kjsvg" alt="" width="1" height="1" />'

You can provide an additional argument to report helper, which enables you to make a redirection. It can be used to create links, which are reported to Pompa and later, redirect the victim to a legitimate site.

<a href="{{ 'View a message' | report: 'https://www.gmail.com' }}">Login</a>