0

I don't know much about content injection so I'm hoping to draw on the experience of the community here. I'm writing a tool that evaluates public web proxies. I want to know if the proxies are being used for content injection and other attacks. I.e. to determine if they are injecting malware, phishing attacks, or spam into the page being requested via the proxy. I need to determine which ones I can trust to use myself. I'm the only client.

To do this, I want to make a webpage that is the biggest target possible (AKA honeypot) in order to encourage the proxies to do their content injection if they do it at all. I'd like to know if there are there certain keywords, content, or ways to structure a web page that will encourage content injection. For example, I could have phrases like 'hot girls' in order to encourage porn and viagra advertisements. Or have frames and iframes in the body of the page in order to give the attackers a place to put the content.

At my end I will compare what was returned by the proxy with what I expect in order to determine if the proxy is changing the content at all.

I already check to see if certificates are changed. I mostly care about the fidelity of the page content.

What else should I do?

stuckintheshuck
  • 117
  • 3
  • There's way too many questions being asked in this one thread, and many of the questions are overly broad. Please narrow your scope significantly. – Iszi Dec 12 '13 at 20:13
  • This sounds like a good question to form the basis of a graduate research project, but it's not a good fit for the StackExchange Q&A format. – Xander Dec 12 '13 at 20:29
  • It's too bad I'm not an information security graduate student. I'm not even trained in security. I'm a professional asking other professionals for a list of elements to include in a honeypot. There are a lot of question marks in this post but it is essentially one question. I get this type of feedback every time I ask a difficult question on SE. Besides, there is no other site on the web that can field this type of question. I would think the community would be happy to hear a security question that can't be answered anywhere else but here. – stuckintheshuck Dec 12 '13 at 21:48
  • There. Now there is only a single question mark in the whole question. – stuckintheshuck Dec 12 '13 at 21:56
  • I still can't tell if you're asking how to increase your honeypot's footprint and make it a more tempting target, or ways to detect illegal content and how to track offending clients later on in your WAF? Can you please clarify more what you're already doing so far and what exactly do you need our input with? Cheers! – TildalWave Dec 13 '13 at 01:25
  • @TildalWave I made some edits. Hopefully this clears things up. I'm vetting web proxies for my own personal use. No WAF, no other clients. paj28 seems to have understood the original question completely. – stuckintheshuck Dec 16 '13 at 17:15
  • @stuckintheshuck Cool, thanks for clarification! Voting to reopen ;) – TildalWave Dec 16 '13 at 17:27

1 Answers1

1

Interesting project.

I expect most proxies that do modify will blindly modify every page, so they can easily be detected.

Some proxies may target specific sites e.g. http://important-bank.com/ You will only be able to detect this by requesting the actual bank's site through the proxy, and comparing it to a version you request directly.

I've also heard ideas of poisoning JavaScript libraries on public CDNs (e.g. Google Hosted Libraries), with a twist being setting a long cache validity time. These would be worth a look.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • I will add a list of links to the 150 largest banks. This can be found here: http://onlinebankingreport.com/resources/100.html – stuckintheshuck Dec 12 '13 at 22:19
  • 1
    @stuckintheshuck cool! Bear in mind that many of the banks will have multiple online banking systems. And non-banks are good targets too. You can get an idea of ones to target by looking at malware analysis reports. For example, this link shows a captured webinjects.txt from the Zeus trojan. http://soltravelweb.com/administrador/.tmp/Spy/builder/webinjects.txt – paj28 Dec 12 '13 at 22:36
  • What software was used to create that file? This looks very interesting. – stuckintheshuck Dec 16 '13 at 17:22
  • @stuckintheshuck It has been captured from the Zeus trojan - they will have analysed an infected machine and found the file. So it has actually been created by the evil brains who created the trojan. – paj28 Dec 16 '13 at 18:07