fixed: handle all optional cookies for given domain

[callightmn]

This quick fix makes it possible, in the absence of authorization URL, to mark all cookie tokens as optional for a given domain while having other mandatory tokens, that is http or body tokens, or even non-optional cookie tokens for another domain.

Code analysis:

In the edge case where all cookie tokens are optional and no authorization URL is provided, Evilginx will indeed never consider the session as finished since AllCookieAuthTokensCaptured will always return false. This is because the tcopy array will contain from the start (first for) an empty array which will never be deleted (second for). In the absence of authorization URL, Evilginx currently stores sessions in the database only if this function returns true at some point, which means in this case, sessions will not be displayed even though all mandatory tokens have been captured.

Example:

auth_tokens:
  - domain: 'akira.lab.evilginx.com'
    keys: ['token:opt']
    type: 'cookie'
  - domain: 'akira.lab.evilginx.com'
    path: '/me'
    name: 'name'
    search: '"name":"(.*)",'
    type: 'body'

Without the fix:

With the fix:

NB: In this case, the optional cookie is delivered before the (mandatory) body token, which is why we see it displayed in the session information. If it had been delivered after the body token, it wouldn't have been displayed at all:

auth_tokens:
  - domain: 'akira.lab.evilginx.com'
    keys: ['token:opt']
    type: 'cookie'
  - domain: 'akira.lab.evilginx.com'
    path: '/login'
    name: 'ticket'
    search: '"ticket":"([^"]*)"'
    type: 'body'

In this last case, the only way to capture the optional cookie is to use an authorization URL.