Sync from PR#2330

Create open_redirect_designsori.yml by @zoomequipd #2330 Source SHA 93d2237 Triggered by @zoomequipd
sublime-security · Jan 24, 2025 · 7add049 · 7add049
1 parent ac2f685
commit 7add049
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/detection-rules/open_redirect_designsori.yml b/detection-rules/open_redirect_designsori.yml
@@ -3,7 +3,7 @@ description: |
   Message contains use of the designsori.com open redirect. This has been exploited in the wild.
 type: "rule"
 severity: "medium"
-source: "type.inbound\nand any(body.links,\n        .href_url.domain.root_domain == \"designsori.com\"\n        and strings.icontains(.href_url.path, 'redirect.php')\n        and regex.icontains(.href_url.query_params, 'url=(?:https?|(?:\\/|%2f)(?:\\/|%2f))')\n        and not regex.icontains(.href_url.query_params, 'url=[^\\&]*designsori\\.com') \n\n)\nand not sender.email.domain.root_domain == \"designsori.com\"\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
+source: "type.inbound\nand any(body.links,\n        .href_url.domain.root_domain == \"designsori.com\"\n        and strings.icontains(.href_url.path, 'redirect.php')\n        and regex.icontains(.href_url.query_params, 'url=(?:https?(?:%3a|:))?(?:%2f|\\/){2}')\n        and not regex.icontains(.href_url.query_params, 'url=(?:https?(?:%3a|:))?(?:%2f|\\/){2}[^&]*designsori\\.com(?:\\&|\\/|$)') \n\n)\nand not sender.email.domain.root_domain == \"designsori.com\"\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
 attack_types:
   - "Credential Phishing"
   - "Malware/Ransomware"
@@ -14,4 +14,4 @@ detection_methods:
   - "URL analysis"
 id: "4c38ff47-4709-5ab9-963c-eabc0732800e"
 testing_pr: 2330
-testing_sha: f9ca9e8e937c5ecff6cfece598f45b05de853841
+testing_sha: 93d22378f46bbdb8c133f296a6f5bef3bd8018cf