Post Reply 
Apr. 01, 2004, 08:07 PM
Post: #1
Has anyone looked how the excellent filtering capabilities of Proxomitron can be used to prevent PHISHING?

Add Thank You Quote this message in a reply
Apr. 01, 2004, 08:43 PM
Post: #2
There have been a TON of filters written to prevent them...
Here is but ONE of them...
The "match" may need adjusting per your config...

Name = "Insert:  No Phishing Script v1.4 {hpguru} (modified)"
Active = TRUE
URL = "$TYPE(htm)"
Limit = 12
Match = "(^(^<ProxHdrTop>))"
Replace = "<script type="text/jscript">\n"
"var msgA="WARNING! The url displayed in the Address bar does not match the actual url of the current site.\\n\\nYour current location is\\n\\n";\n"
"var msgB="\\n\\nThis site owner may be attempting to defraud you.";\n"
"var wl=window.location;\n"
"var lhref=wl.href;\n"
"var lhost=wl.hostname;\n"
"var realUrl=wl.protocol+"//"+lhost+lhref.substr(lhref.indexOf(lhost)+lhost.length);\n"
"var test1=lhref.indexOf(unescape('@'))!=-1;"
"var test2=(lhref!=realUrl);\n"
"if (test1&&test2)"

okay, one more...
Name = "IE:  Alert if Current URL Using Address Bar Exploit {Paul} (modified)"
Active = TRUE
URL = "$TYPE(htm)"
Limit = 4096
Match = " (<!DOCTYPE*> |)\1"
Replace = "\1\r\n<script language="Javascript">\r\n"
"var pxUr1=location.href;\r\n"
"{var pxUuser=pxUr1.substring(0,pxUr1.indexOf("@"));\r\n"
" if(pxUuser.indexOf("%00")!=-1||pxUuser.indexOf("%01")!=-1||pxUuser.indexOf("")!=-1)\r\n"
" {if(pxUuser.indexOf("%00")!=-1)\r\n"
"  {pxUuser=pxUuser.substring(0,pxUuser.indexOf("%00"))}\r\n"
"  if(pxUuser.indexOf("%01")!=-1)\r\n"
"  {pxUuser=pxUuser.substring(0,pxUuser.indexOf("%01"))}\r\n"
"  if(pxUuser.indexOf("")!=-1)\r\n"
"  {pxUuser=pxUuser.substring(0,pxUuser.indexOf(""))}\r\n"
"  var pxAlert="*** WARNING! ***"
" \\n\\nIllegal characters were found in a 'user:[email protected]' authorization"
" in the browser's URL location for this webpage.  This exploit is"
" used to hide the real webpage location while 'spoofing' a different"
" domain in the address and status bars.  The fooled visitor is then"
" tricked into revealing sensitive information, such as passwords or"
" account numbers, to the disguised malicious site.  Internet Explorer"
" is vulnerable to this exploit."
" \\n\\nSpoofed Domain:\\n"+pxUuser+""
" \\n\\nACTUAL Domain:\\n"+location.protocol+"//"""
" \\n\\nACTUAL CURRENT URL:\\n"+location.protocol+"//"""
" \\n\\nExploit Link Used:\\n"+location.href;\r\n"
"  alert(pxAlert);\r\n"
"  top.location="http://local.ptron/Paul_HTML/killed2.html?WHY=$ESC(IE AddressBar Exploit)&URL=$ESC(\u)";\r\n"
" }\r\n"

still another...
Name = "Fix:  Spoofed Address v6 {Kye-U}"
Active = TRUE
URL = "(^$TYPE(css))"
Bounds = "$NEST(<(([a-z]+)|*=)\s,</([a-z]+)>)"
Limit = 512
Match = "\0://(\1.([a-z]+{2,4})|*.*/\1)(?%00|(((%|&#)0(1|0))+{1,2}))[^/]++[@|%40]\2"
Replace = "<a href="http://local.ptron/killed.html">[IE Address Bar Exploit Removed]</a>"
"$ALERT(Internet Explorer URL Spoofing Vulnerability Detected and Removed on:\n\n\u)"

one more, you say?
Name = "Convert:  Fake URL in Address Bar v1 {ky-kazoo}"
Active = TRUE
URL = "$TYPE(htm)"
Bounds = "$NEST(<a\s,>)|$NEST(<input\s,>)"
Limit = 256
Match = "\0((href|onclick|onmousedown)=)\1$AVQ((*http://)\2[^/@][email protected]\3)\4"
Replace = "\0\1\2\3\4"

Name = "Convert:  Fake URL in Address Bar v2 {ky-kazoo}"
Active = TRUE
Multi = TRUE
URL = "$TYPE(htm)|$TYPE(js)"
Limit = 128
Match = "(https+://)\1("
"[^/][email protected]&*([%01]|%00|%01|\)"
Replace = "\1"
Add Thank You Quote this message in a reply
Apr. 01, 2004, 08:55 PM
Post: #3
Thank you ... much appreciated. Big Teeth
Add Thank You Quote this message in a reply
Post Reply 

Forum Jump: