0 Replies Latest reply on Jan 19, 2015 3:09 PM by malware-alerts

    HTML Opener - Can we use different elements in a condition?

    malware-alerts

      Trying to do something real basic, but unfortunately I seem too dumb to get around to making it work.

       

      I would like to use the HTML opener to extract the SCRIPT tag and the FORM tag and use both in a condition in order to show a block page when certain combination of keywords & HTML attributes are present .

       

      For example:

       

      HTML Opener "TEST":

      script  -- Only open start tags = FALSE

      form -- Only open start tags = TRUE

       

       

      Top level Rule "Warning to users"

      Criteria: Connection.Protocol = HTTP

      Applies to: RESPONSES / EMBEDDED OBJECTS

          1. Enable HTML Opener "TEST"
          2. body.text does not match "*username*" & body.text does not match "*password*"
            • Action: Stop RuleSet
          3. HTMLElement.Attribute "METHOD" matches "POST" & HTMLElement.Attribute "ACTION" does not match "https://*"
            • Action: Block + show block page "Credentials sent over HTTP"

       

       

      This doesn't work the way I would like it to work. What basically happens when I look at the rule tracing is that the ruleset will first trigger on step 2 of the ruleset for the SCRIPT tag (combination of 'username' and 'password' ) but then when it evaluates the "HTMLElement.Attribute", it returns false because the current tag being evaluated is still the SCRIPT tag.

       

      I would basically like to figure out a way to show a block page to the users when a page seems to be asking for credentials (username/password) with a form POST that is not over HTTPS. There are plenty of examples of phishing websites that will use a simple HTTP page asking the users for their credentials and then submit using a form POST over HTTP and unfortunately a lot of users fall for these basic phishing scams...