API Documentation

Disclaimer DISCLAIMER

Important IMPORTANT: This tool is for educational purposes and authorized testing only.
Use only on systems you own or have explicit permission to test.

API Overview

The Phisher-Man React Edition provides a RESTful API for managing phishing templates, controlling the Apache server, and monitoring captured data.

Base URL: http://localhost:5000

Authentication Authentication

Currently, no authentication is required. For production use, implement proper authentication mechanisms.

Endpoints Endpoints

Dashboard 1. Dashboard Data

GET /api/dashboard

Retrieves available phishing templates and their metadata.

Request:
GET /api/dashboard
Response:
{
  "templates": [
    {
      "id": "facebook",
      "name": "Facebook",
      "logo": "/static/logos/facebook.jpg",
      "description": "Facebook Login Page"
    },
    {
      "id": "google",
      "name": "Google",
      "logo": "/static/logos/google.jpg",
      "description": "Google Login Page"
    },
    {
      "id": "instagram",
      "name": "Instagram",
      "logo": "/static/instagram.png",
      "description": "Instagram Login Page"
    },
    {
      "id": "paypal",
      "name": "PayPal",
      "logo": "/static/logos/paypal.jpeg",
      "description": "PayPal Login Page"
    },
    {
      "id": "spotify",
      "name": "Spotify",
      "logo": "/static/logos/spotify.jpg",
      "description": "Spotify Login Page"
    },
    {
      "id": "facebook-security",
      "name": "Facebook Security",
      "logo": "/static/logos/facebook.jpg",
      "description": "Facebook Security Page"
    }
  ]
}
Status Codes:
  • 200 OK - Success
  • 500 Internal Server Error - Server error

Server Status 2. Server Status

GET /api/server/status

Checks the current status of the Apache2 server.

Request:
GET /api/server/status
Response:
{
  "status": "running",
  "message": "Apache2 is running"
}
Possible Status Values:
  • "running" - Apache2 is active
  • "stopped" - Apache2 is not running
  • "error" - Error checking status

Server Control 3. Server Control

POST /api/server/:action

Controls the Apache2 server (start, stop, clear).

Request:
POST /api/server/start
POST /api/server/stop  
POST /api/server/clear
Parameters:
  • action (path parameter) - Action to perform:
    • start - Start Apache2 service
    • stop - Stop Apache2 service
    • clear - Clear Apache document root
Response:
{
  "success": true,
  "message": "Apache2 started successfully"
}
Error Response:
{
  "success": false,
  "message": "Failed to start Apache2: Permission denied"
}

IP Information 4. IP Information

GET /api/server/ip

Retrieves local and public IP addresses.

Request:
GET /api/server/ip
Response:
{
  "localIP": "127.0.0.1",
  "publicIP": "192.168.1.100"
}
IP Address Logic:
  • localIP: Always returns 127.0.0.1
  • publicIP: Automatically detected from network interfaces
    • Priority: 192.168.x.x addresses first
    • Fallback: Any non-internal IPv4 address
    • Final fallback: 127.0.0.1

Deploy Template 5. Deploy Template

POST /api/build-scam

Deploys a phishing template to the Apache server.

Request:
POST /api/build-scam
Content-Type: application/json

{
  "template": "facebook"
}
Request Body:
{
  "template": "string" // Template ID (facebook, google, instagram, paypal, spotify, facebook-security)
}
Response:
{
  "success": true,
  "message": "Template facebook deployed successfully",
  "localIP": "127.0.0.1",
  "publicIP": "192.168.1.100",
  "localURL": "http://127.0.0.1/facebook/login.html",
  "publicURL": "http://192.168.1.100/facebook/login.html",
  "template": "facebook"
}
Deployment Process:
  1. Stop Apache2 service
  2. Clear /var/www/html/ directory
  3. Create template-specific directory
  4. Copy template files
  5. Copy static assets (logos)
  6. Create index.html redirect
  7. Set proper permissions
  8. Start Apache2 service

Get Logs 6. Get Logs

GET /api/logs

Retrieves captured credentials from all deployed templates.

Request:
GET /api/logs
Response:
{
  "logs": "=== FACEBOOK LOGS ===\nusername1:password1\nusername2:password2\n\n=== GOOGLE LOGS ===\nuser3:pass3\n\n"
}
Log Format:
  • Each template section is labeled with === TEMPLATE_NAME LOGS ===
  • Credentials are in format: username:password
  • Multiple templates are separated by double newlines
Log File Locations:
  • /var/www/html/facebook/usernames.txt
  • /var/www/html/google/usernames.txt
  • /var/www/html/instagram/usernames.txt
  • /var/www/html/paypal/usernames.txt
  • /var/www/html/spotify/usernames.txt
  • /var/www/html/facebook-security/usernames.txt

Error Handling Error Handling

Standard Error Response

{
  "error": "Error message description"
}

Common Error Codes

  • 400 Bad Request - Invalid request parameters
  • 404 Not Found - Resource not found
  • 500 Internal Server Error - Server-side error

Example Usage Example Usage

JavaScript JavaScript/Fetch

// Get dashboard data
const response = await fetch('/api/dashboard');
const data = await response.json();

// Deploy template
const deployResponse = await fetch('/api/build-scam', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ template: 'facebook' })
});

// Get logs
const logsResponse = await fetch('/api/logs');
const logs = await logsResponse.json();

cURL cURL

# Get dashboard
curl http://localhost:5000/api/dashboard

# Deploy template
curl -X POST http://localhost:5000/api/build-scam \
  -H "Content-Type: application/json" \
  -d '{"template":"facebook"}'

# Get logs
curl http://localhost:5000/api/logs

# Start Apache
curl -X POST http://localhost:5000/api/server/start

Python Python

import requests

# Get dashboard
response = requests.get('http://localhost:5000/api/dashboard')
templates = response.json()

# Deploy template
deploy_response = requests.post(
    'http://localhost:5000/api/build-scam',
    json={'template': 'facebook'}
)

# Get logs
logs_response = requests.get('http://localhost:5000/api/logs')
logs = logs_response.json()

Security Considerations Security Considerations

Current Security Status

  • ❌ No authentication required
  • ❌ No rate limiting
  • ❌ CORS allows all origins
  • ❌ No input validation
  • ❌ No HTTPS enforcement

Recommended Security Improvements

  1. Authentication: Implement JWT or session-based auth
  2. Rate Limiting: Use express-rate-limit
  3. Input Validation: Use joi or express-validator
  4. HTTPS: Force HTTPS in production
  5. CORS: Restrict to specific domains
  6. Logging: Implement security event logging

For API support, visit our Discord: https://discord.gg/KcuMUUAP5T