drk1wi

drk1wi/Modlishka

Go No license Security License not recognized by GitHub

Modlishka. Reverse Proxy.

5.4k stars
949 forks
active
GitHub +9 / week

5.4k

Stars

949

Forks

5

Open issues

13

Contributors

v.1.1.1 18 May 2025

AI Analysis

Modlishka is a penetration testing reverse proxy tool designed for authorized security researchers and red teamers to conduct phishing assessments and evaluate authentication bypass vulnerabilities. It specializes in transparent proxying of multi-domain HTTPS traffic and 2FA bypass demonstrations—not for general-purpose web proxying or production deployment.

Security Security Tool Discovery value: 4/10
Documentation 8/10
Activity 9/10
Community 8/10
Code quality 6/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 7/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

reverse-proxy penetration-testing 2fa-bypass mitm security-research
Niche/specialized use case Well documented Actively maintained Educational Popular
Deep Analysis · Based on README and public signals
2w ago

Modlishka: A Go-based AitM reverse proxy for 2FA bypass research and authorized phishing simulations

Modlishka is a penetration testing tool that transparently proxies multi-domain HTTPS traffic through a single attacker-controlled domain without requiring client-side certificate installation. Its primary use case is demonstrating and testing the real-world weaknesses of time-based and SMS-based 2FA schemes in authorized red team engagements. It targets offensive security professionals, penetration testers, and security researchers conducting phishing simulations. Notably, it was among the first public tools to demonstrate automated AitM-based 2FA bypass, which gave it lasting influence in the security research community.

Origin

Released in December 2018 by Polish security researcher drk1wi, Modlishka gained immediate attention in early 2019 for demonstrating that most 2FA implementations could be intercepted transparently via reverse proxying, influencing industry discussions on phishing-resistant authentication.

Growth

Growth was concentrated around the 2019 release and associated blog posts demonstrating 2FA bypass techniques. The concept was novel at the time and attracted significant security community interest. Since then, growth has plateaued to a slow, steady trickle — approximately 5 stars per week as of mid-2026 — consistent with a mature niche tool that has found its audience but is no longer expanding into new user bases.

In production

Adoption not verified through the README alone. The tool is widely referenced in offensive security training materials, red team toolkits, and conference talks, suggesting real-world use in authorized penetration testing engagements. However, no documented case studies, enterprise usage data, or download metrics are publicly available in the reviewed materials.

Code analysis
Architecture

Appears to be a single-binary Go reverse proxy with a plugin system. Based on the README, it likely uses Go's net/http stack to intercept, rewrite, and relay HTTP/HTTPS traffic between client and target. Stateless design is explicitly mentioned, suggesting horizontal scalability via DNS load balancing. Plugins appear to handle credential harvesting, TLS certificate generation, and a web panel. The CLI-first interface with JSON config file support suggests a straightforward operational model.

Tests

Not documented in README. A CI workflow (reviewdog) is referenced in the badge, suggesting at minimum linting or static analysis is automated, but no test coverage metrics or testing strategy are described.

Maintenance

Last push was February 12, 2026 — approximately 4.5 months before the evaluation date. The Go version badge shows 1.24+, indicating active dependency tracking. Maintenance appears slow but consistent rather than stagnant. No evidence of active issue triage or changelog in the README excerpt.

Honest verdict

ADOPT IF: you are a security professional conducting authorized phishing simulations or 2FA weakness assessments and need a transparent AitM proxy that works without client certificate installation, and you are comfortable with a tool that is more minimalist than evilginx2. AVOID IF: you need an actively developed phishing framework with community-maintained phishlets, frequent updates against modern browser defenses, or support for a wide range of target site templates — evilginx2 is likely a better fit. MONITOR IF: you are tracking the AitM tooling space for defensive purposes, as this tool continues to represent a real threat model that informs phishing-resistant authentication design.

Independent dimensions

Mainstream potential

2/10

Technical importance

7/10

Adoption evidence

3/10

Risks
  • Modern browsers and sites increasingly deploy anti-phishing mitigations (CSP, HSTS preloading, certificate transparency, passkeys) that may reduce Modlishka's effectiveness against hardened targets over time.
  • Evilginx2 has a larger community and more frequent updates, potentially leaving Modlishka behind in adapting to new authentication flows or browser behaviors.
  • The license is listed as NOASSERTION — the actual license terms are unclear from metadata, which may create legal ambiguity for organizations conducting formal security audits.
  • The tool's design as an offensive security instrument means it could be misused; any public association with misuse incidents could affect the project's visibility and contributor willingness.
  • Maintenance pace (one push in ~4.5 months as of evaluation date) means newly deployed security controls on popular targets may not be addressed quickly.
Prediction

Modlishka will likely persist as a historically significant reference tool and secondary option in red team toolkits, but is unlikely to reclaim the leading position in AitM phishing frameworks from evilginx2 without a significant community or feature investment.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Go
98%
Makefile
1.1%
Dockerfile
0.5%
Shell
0.4%

Information

Language
Go
License
NOASSERTION
Last updated
7d ago
Created
92mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

projectdiscovery

projectdiscovery/proxify

Proxify is a portable HTTP/HTTPS proxy tool written in Go that captures,...

patterniha

patterniha/MITM-DomainFronting

MITM-DomainFronting is a censorship circumvention tool that intercepts...

2.7k Batchfile Security
kgretzky

kgretzky/evilginx2

Evilginx2 is a standalone man-in-the-middle attack framework written in Go that...

15.3k Go Security
mitmproxy

mitmproxy/mitmproxy

mitmproxy is an interactive, TLS-capable intercepting HTTP proxy with console,...

44.2k Python Security
stripe

stripe/smokescreen

Smokescreen is an HTTP CONNECT proxy developed by Stripe that enforces hostname...

1.3k Go Security
vs. alternatives
evilginx2

Evilginx2 is the closest direct competitor and has nearly 3x the stars. It is more actively maintained, has a larger plugin/phishlet ecosystem, and is more widely adopted in red team communities. Modlishka was first, but evilginx2 has become the de facto standard for AitM phishing frameworks in most professional engagements.

mitmproxy

mitmproxy is a general-purpose interception proxy with far broader adoption and a mature ecosystem. It is not specialized for phishing or 2FA bypass but is more appropriate for traffic analysis, API debugging, and general MITM research. It requires client certificate installation, which Modlishka explicitly avoids.

goproxy (snail007)

A general-purpose Go proxy toolkit focused on forwarding and tunneling rather than AitM credential harvesting. Different target audience and use case — not a meaningful competitor for security research workflows.

MITM-DomainFronting

Focused on domain fronting as a traffic obfuscation technique rather than transparent credential interception. Overlaps conceptually in adversarial network manipulation but serves a different operational goal.

smokescreen (stripe)

A defensive SSRF-protection proxy from Stripe, not an offensive tool. Mentioned in the similar repos list likely due to Go proxy architecture overlap, but serves an entirely different purpose and audience.