4

My Goal:

My hope is to catch pages and content that would be flagged by Google Safe Browsing or others like it, except more proactive than waiting for a crawl by Google or being added to a blacklist.

Basic Question:

Is there a resource that you are aware of for indicators of compromise on compromised sites?

My Scenario:

We are developing an in house CMS to host very similar websites for a lot of existing customers on an older platform. One of the business requirements for the web platform is that content managers need to be allowed to add JavaScript for additional functionality. Basically what I'm looking for is a way to check and make sure a web content manager is not, either with malicious intent or accidentally by using a tainted library, posting malicious JavaScript or Malware on their website that we host.

I have tools to do dynamic analysis on the sites which in turn do static analysis on JavaScript but they're mostly worried about DOM XSS and vulnerabilities instead of searching for compromised sites. I can write the security check myself and integrate it with a hook on the CMS I would just need a significant amount of data or examples of compromise that are not CMS dependent (WordPress, Joomla, Drupal specific). For instance there is probably not a need for the content manager for a site to reference a cookie in JavaScript with document.cookie, but if they do I would like to review how they're using it. We're using ClamAV to prevent uploading malicious software, but I won't be able to tell if they do a redirect (with window.location for example) to point to an attacker's site hosting malicious software. A tool would be nice, but in the end I don't mind writing my own tool to hook into a content post and scrape the content for static analysis. For a more effective analysis though I would need a good resource with a lot of specific examples of compromised pages or sites so that I can write the security checks. I think I can also use Google Safe Browsing API to do a similar check except after the site has been flagged so that we can notify the user and assist in cleanup.

Other thoughts:

Am I spinning my wheels here trying to be more proactive? Maybe the best choice would be to monitor if a site is on one or more blacklists of compromised sites and take action after.

Ohnana
  • 4,737
  • 2
  • 23
  • 39
Tony
  • 66
  • 4
  • 3
    I'm not clear on what your question is – schroeder Dec 16 '15 at 22:16
  • 2
    Hey Tony. I think what you're asking is a little too broad, and it's also a bit unclear to me what your question is. Can you refine, please? – Mark Buffalo Dec 16 '15 at 22:25
  • @schroeder, @ Mark, Google Safe Browsing can flag content as "malicious". He wants a solution akin to that instead of relying on Google (Google Safe Browsing has a delay). – Pacerier Jan 26 '16 at 18:41

0 Answers0