palantir / phishcatch Goto Github PK
View Code? Open in Web Editor NEWA browser extension and API server for detecting corporate password use on external websites
Home Page: https://github.com/palantir/phishcatch/wiki
License: Apache License 2.0
A browser extension and API server for detecting corporate password use on external websites
Home Page: https://github.com/palantir/phishcatch/wiki
License: Apache License 2.0
Here's my debug configuration:
As you can see I've set the phishcatch server URL to a ngrok site which points to localhost:8000. I am running the server locally at port 8000 using PRESHARED_KEY=MYPSK123 dev.sh
I am able to trigger phishcatch browser notifications, however I am not seeing any alerts logged by my alert server.
What do I need to do to get the extension and server to cooperate?
Amazing project, any plans to update this to Manifest V3? Looks like it drops supports for DOM access and I'm not sure how that will affect the feasibility of the project.
The test curl statement to see if the webhook is configured properly automatically responds with "Couldn't send stack alert". Even though slack webhook is configured properly in the dockerfile. Running the server locally. Curl statement to get server status returns as healthy. Not sure why I can't curl the slack app.
Love the concept - exactly what I was looking for but the development seem to have been stopped, correct?
Is the Firefox extension still in development?
Detect username/password pairs on generic login forms
On submit, check for enterprise account ([email protected])
If enterprise account, check password complexity
If password complexity is below configurable requirement, send an alert with domain/username
Support a configurable list of forbidden passwords, eg "admin"
Add a new parameters in debug configuration which taking as input a string : idusername
This string should be the value of the id on the MainPage, to detect the username.
for example, a main login page with the html code :
<input class="mdc-text-field__input pwd" type="password" id="pwd_pass" size="25" name="password" value="">
The Parameter isUsername should be pwd_pass, then the extension can automatically take the username when logging and store it for better logging/information.
New code should have for example in content.js
function runUsernameScraper() { const username = <HTMLInputElement>document.getElementById(IdUsername) if (username != null) { return username.value }
Having logging to support the identification of partial vs complete credential reuse detections as well as the length of partial match detections would provide helpful context in responding to PhishCatch detections.
Hello,
Thank you for this amazing project !
We meet false positives with the domhash capabilities of the extension.
It lies in the checkDOMHash function.
Some users trigger potential phishing alerts of type 'domhash' on different URLs that seem unrelated to the entreprise page we want to protect.
Could you share hints on how I could proceed to debug this ?
For now, we implemented a new option ('display_domhash_alerts') in config.ts so that users do not see the alerts while we still receive them on the server side, quite useful.
Thanks !
hi, would be great to have a place to discuss phishcatch and potentially collaborate on new functionality through a group like slack, discord, or spectrum, like other OSS projects have!
While giving a quick look to the code I noticed that the hostMatches
function used to verify if a given host is in the config.enterprise_domains
array is weak and could be easily bypassed.
While visiting a website the extension reads the current hostname and calls the getDomainType
function in order to understand if, among the others, a green badge should be displayed or not, indicating that the website is a corporate one and should be trusted.
The getDomainType
calls under the hood the hostMatches
:
phishcatch/extension/src/lib/getDomainType.ts
Lines 34 to 47 in 07b0b35
It basically loops over all the domains stored in config.enterprise_domains
and:
*.google.com
) it checks that the visited one ends with the wildcard domain without the *.
.This approach is very weak because it would mark as an enterprise domain any domain ending with (in my example) google.com
(i.e. nomoregoogle.com
).
It should be also pointed out that using fake domains ending with the legit one is a very common phishing technique.
enterprise_domains
: ["*.google.com"]
While writing this issue I also realized that as enterprise_domains
are threated as RegExp
then the .
character is evaluated as a wildcard. This means that if the enterprise_domains
contains ["*.nomor.google.com"]
then nomoregoogle.com
would be matched as an enterprise domain.
FastAPI 0.65.2 has changed their methods to parse JSON data.
The command in wiki (triggering alert, etc...) aren't working, and probably some code in the application.
(Error: invalid_dict)
A solution is to downgrade to fastAPI 0.65.1 while waiting for a better version.
Original issue in fastAPI git :
https://www.gitmemory.com/issue/tiangolo/fastapi/3373/861173889
Problem
Currently, clients will use {{ server }}/alerts
for sending new alert info. If a organization would rather not install & manage the server component but instead receive alerts directly to another tool, for many generic webhook utilities or HTTP Event Collectors (Splunk, SumoLogic two off hand examples) appending a path of /alerts
would add an extra step which can sometimes be cumbersome.
Proposed Solution
Allow for clients to send to just the base endpoint to support more generic webhook type solutions.
I was trying to follow this wiki step:
Download the source code from this repo.
In Chrome, open chrome://extensions/ and enable the "Developer mode" toggle in the top right.
Click the "Pack extension" button and select the extension folder from your local copy of this repo as the "Extension root directory".
Specifically, here's what I did
phishcatch/extension
folder locallyHowever I kept getting a "manifest file not found error"
Through trial and error I learned that the instructions are misleading, and here's what I need to do:
extension
and run yarn install
and yarn build
phishcatch/extension/dist
folderLet's update the wiki page with the up to date instructions no?
I would create a PR but I can't as this is a wiki page!
Let's do the thing.
So I know you can configure phishcatch using the instructions here
However, I am setting up phishcatch on my personal browser on my Mac. I've installed from the Chrome web store. I don't have Jamf Pro and have no intentions to get one for personal use :). Is there any way I can configure phishcatch?
It would be very useful to simply specify in the config file that I want alerts to ship out via syslog or just give it an Elasticsearch API endpoint to send data to - either way I'd like to play around with getting these alerts and metadata into a Security Onion instance. I know this is something that could probably be easily hobbled together on the API server but nonetheless would be nice to see OOB.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.