cancel
Showing results for 
Search instead for 
Did you mean: 
malware-alerts
Level 10

HTML Opener - Can we use different elements in a condition?

Trying to do something real basic, but unfortunately I seem too dumb to get around to making it work.

I would like to use the HTML opener to extract the SCRIPT tag and the FORM tag and use both in a condition in order to show a block page when certain combination of keywords & HTML attributes are present .

For example:

HTML Opener "TEST":

script  -- Only open start tags = FALSE

form -- Only open start tags = TRUE

Top level Rule "Warning to users"

Criteria: Connection.Protocol = HTTP

Applies to: RESPONSES / EMBEDDED OBJECTS

      1. Enable HTML Opener "TEST"
      2. body.text does not match "*username*" & body.text does not match "*password*"
        • Action: Stop RuleSet
      3. HTMLElement.Attribute "METHOD" matches "POST" & HTMLElement.Attribute "ACTION" does not match "https://*"
        • Action: Block + show block page "Credentials sent over HTTP"

This doesn't work the way I would like it to work. What basically happens when I look at the rule tracing is that the ruleset will first trigger on step 2 of the ruleset for the SCRIPT tag (combination of 'username' and 'password' ) but then when it evaluates the "HTMLElement.Attribute", it returns false because the current tag being evaluated is still the SCRIPT tag.

I would basically like to figure out a way to show a block page to the users when a page seems to be asking for credentials (username/password) with a form POST that is not over HTTPS. There are plenty of examples of phishing websites that will use a simple HTTP page asking the users for their credentials and then submit using a form POST over HTTP and unfortunately a lot of users fall for these basic phishing scams...

0 Kudos