Skip to content

Commit

Permalink
Sync from PR#2330
Browse files Browse the repository at this point in the history 
Create open_redirect_designsori.yml by @zoomequipd
#2330
Source SHA f9ca9e8
Triggered by @zoomequipd
  • Loading branch information
Sublime Rule Testing Bot committed Jan 23, 2025
1 parent 0419685 commit ac2f685
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions detection-rules/open_redirect_designsori.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: "Open Redirect: designsori.com"
description: |
Message contains use of the designsori.com open redirect. This has been exploited in the wild.
type: "rule"
severity: "medium"
source: "type.inbound\nand any(body.links,\n .href_url.domain.root_domain == \"designsori.com\"\n and strings.icontains(.href_url.path, 'redirect.php')\n and regex.icontains(.href_url.query_params, 'url=(?:https?|(?:\\/|%2f)(?:\\/|%2f))')\n and not regex.icontains(.href_url.query_params, 'url=[^\\&]*designsori\\.com') \n\n)\nand not sender.email.domain.root_domain == \"designsori.com\"\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Open redirect"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "4c38ff47-4709-5ab9-963c-eabc0732800e"
testing_pr: 2330
testing_sha: f9ca9e8e937c5ecff6cfece598f45b05de853841

0 comments on commit ac2f685

Please sign in to comment.