I was trying to follow this wiki step:

https://github.com/palantir/phishcatch/wiki/Installing-the-extension#building-and-installing-from-source

Download the source code from this repo.
In Chrome, open chrome://extensions/ and enable the "Developer mode" toggle in the top right.
Click the "Pack extension" button and select the extension folder from your local copy of this repo as the "Extension root directory".

Specifically, here's what I did

1. Cloned the phishcatch repo from GitHub
2. Clicked Pack Extension and selected my phishcatch/extension folder locally

However I kept getting a "manifest file not found error"

Through trial and error I learned that the instructions are misleading, and here's what I need to do:

1. Clone the phishcatch repo
2. Go into extension and run yarn install and yarn build
3. Click Pack Extension and choose the resulting phishcatch/extension/dist folder

Let's update the wiki page with the up to date instructions no?

I would create a PR but I can't as this is a wiki page!

Summary

While giving a quick look to the code I noticed that the hostMatches function used to verify if a given host is in the config.enterprise_domains array is weak and could be easily bypassed.

Description

While visiting a website the extension reads the current hostname and calls the getDomainType function in order to understand if, among the others, a green badge should be displayed or not, indicating that the website is a corporate one and should be trusted.

The getDomainType calls under the hood the hostMatches:

It basically loops over all the domains stored in config.enterprise_domains and:

• If the stored domain matches the visited one it returns true.
• If the stored domain is a wildcard one (i.e. *.google.com) it checks that the visited one ends with the wildcard domain without the *..

This approach is very weak because it would mark as an enterprise domain any domain ending with (in my example) google.com (i.e. nomoregoogle.com).
It should be also pointed out that using fake domains ending with the legit one is a very common phishing technique.

PoC

1. Install the Phishcatch extension
2. Set as enterprise_domains: ["*.google.com"]
3. Visit https://nomoregoogle.com
4. Notice that the green badge on the Phishcatch extension appears

Addendum

While writing this issue I also realized that as enterprise_domains are threated as RegExp then the . character is evaluated as a wildcard. This means that if the enterprise_domains contains ["*.nomor.google.com"] then nomoregoogle.com would be matched as an enterprise domain.

Love the concept - exactly what I was looking for but the development seem to have been stopped, correct?
Is the Firefox extension still in development?

Detect username/password pairs on generic login forms
On submit, check for enterprise account ([email protected])
If enterprise account, check password complexity
If password complexity is below configurable requirement, send an alert with domain/username

hi, would be great to have a place to discuss phishcatch and potentially collaborate on new functionality through a group like slack, discord, or spectrum, like other OSS projects have!

Problem

Currently, clients will use {{ server }}/alerts for sending new alert info. If a organization would rather not install & manage the server component but instead receive alerts directly to another tool, for many generic webhook utilities or HTTP Event Collectors (Splunk, SumoLogic two off hand examples) appending a path of /alerts would add an extra step which can sometimes be cumbersome.

Proposed Solution

Allow for clients to send to just the base endpoint to support more generic webhook type solutions.

The test curl statement to see if the webhook is configured properly automatically responds with "Couldn't send stack alert". Even though slack webhook is configured properly in the dockerfile. Running the server locally. Curl statement to get server status returns as healthy. Not sure why I can't curl the slack app.

So I know you can configure phishcatch using the instructions here

https://github.com/palantir/phishcatch/wiki/Configuring-the-extension#deploying-configuration-settings-via-enterprise-management

However, I am setting up phishcatch on my personal browser on my Mac. I've installed from the Chrome web store. I don't have Jamf Pro and have no intentions to get one for personal use :). Is there any way I can configure phishcatch?

FastAPI 0.65.2 has changed their methods to parse JSON data.
The command in wiki (triggering alert, etc...) aren't working, and probably some code in the application.
(Error: invalid_dict)

A solution is to downgrade to fastAPI 0.65.1 while waiting for a better version.
Original issue in fastAPI git :
https://www.gitmemory.com/issue/tiangolo/fastapi/3373/861173889

Here's my debug configuration:

As you can see I've set the phishcatch server URL to a ngrok site which points to localhost:8000. I am running the server locally at port 8000 using PRESHARED_KEY=MYPSK123 dev.sh

I am able to trigger phishcatch browser notifications, however I am not seeing any alerts logged by my alert server.

What do I need to do to get the extension and server to cooperate?

Support a configurable list of forbidden passwords, eg "admin"

Having logging to support the identification of partial vs complete credential reuse detections as well as the length of partial match detections would provide helpful context in responding to PhishCatch detections.

Add a new parameters in debug configuration which taking as input a string : idusername
This string should be the value of the id on the MainPage, to detect the username.

for example, a main login page with the html code :
<input class="mdc-text-field__input pwd" type="password" id="pwd_pass" size="25" name="password" value="">

The Parameter isUsername should be pwd_pass, then the extension can automatically take the username when logging and store it for better logging/information.

New code should have for example in content.js

function runUsernameScraper() { const username = <HTMLInputElement>document.getElementById(IdUsername) if (username != null) { return username.value }

It would be very useful to simply specify in the config file that I want alerts to ship out via syslog or just give it an Elasticsearch API endpoint to send data to - either way I'd like to play around with getting these alerts and metadata into a Security Onion instance. I know this is something that could probably be easily hobbled together on the API server but nonetheless would be nice to see OOB.

Let's do the thing.

Amazing project, any plans to update this to Manifest V3? Looks like it drops supports for DOM access and I'm not sure how that will affect the feasibility of the project.

Hello,

Thank you for this amazing project !
We meet false positives with the domhash capabilities of the extension.
It lies in the checkDOMHash function.

Some users trigger potential phishing alerts of type 'domhash' on different URLs that seem unrelated to the entreprise page we want to protect.
Could you share hints on how I could proceed to debug this ?

For now, we implemented a new option ('display_domhash_alerts') in config.ts so that users do not see the alerts while we still receive them on the server side, quite useful.

Thanks !