Phishing Prevention

Problem this snippet solves:

This iRule helps to cut down on Phishing and scraping attempts that might otherwise plague your network.

The below example demonstrates not only how to check for suspicious requests that originate from a referrer that hasn’t been authorized to use your site’s content, but how to either stop them outright, or inject code into the HTTP response to help negate their ability to duplicate your site.

This is done in 3 separate steps:

  1. Define a list of valid referrers in the form of a class/data group. This is a list of those sites that you expect to be linking to content on your site.
  2. Define a list (in the form of a class/data group) of file types that should not be linked to, besides by the referrers listed in item #1.
  3. Check to see if an invalid referrer (not someone in class #1) is trying to serve data from your site and what kind of content they’re trying to serve. If it matches the file types in class #2…block it. If not, insert some custom code to help prevent phishing attempts.

Code :

# Supporting classes/data groups

# v9-10 example:
class valid_referrals {
  "http://mydomain.com"
  "http://mydomain1.com"
  "http://url1"
  "http://url2"
  "http://url3"
}

# v9-10 example:
class file_types {
  ".gif"
  ".jpg"
  ".png"
  ".bmp"
  ".js"
  ".css"
  ".xsl"
}

# Note: Replace the <'s in the "HTTP::payload replace..." command with a left angle bracket.

rule no_phishing {
when HTTP_REQUEST {
set respond 0
# Don't allow data to be chunked.
if {[HTTP::version] eq "1.1"} {
if {[HTTP::header is_keepalive]} {
# Adjust the Connection header.
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}

if { [matchclass [HTTP::header "Referer"] starts_with valid_referers] < 1 } {
if { ([HTTP::method] eq "GET") && ([matchclass [HTTP::uri] contains file_types] > 0 )} {
discard
} elseif { ([HTTP::header exists "Content-Type"]) && ([HTTP::header "Content-Type"] starts_with "text" ) } {
set respond 1
}
}
}

when HTTP_RESPONSE {
if { $respond == 1 } {

# Trigger collection for up to 1MB of data
if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{
set content_len [HTTP::header "Content-Length"]
} else {
set content_len 1048576
}
# Check if $content_len has been set and is not set to 0
if { [info exists content_len] && $content_len > 0} {
HTTP::collect $content_len
}
}
}

when HTTP_RESPONSE_DATA { 
set bypass [string first -nocase "" [HTTP::payload]]
if { $bypass != -1 } {
HTTP::payload replace $bypass 0 \
"<script type=\"text/javascript\">\n if (top.frames.length!=0) {\n if (window.location.href.replace)\n top.location.replace(self.location.href);\n else\n top.location.href=self.document.href;\n }\n </script>\n"
} else {
HTTP::respond 500
}
}
}
Published Mar 18, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment