0

Im trying to publish some of the Threat Intelligence URL/Domains on my website (using simple PHP/HTML table) pulled from public repositories.

While opening the webpage, some forward proxy devices are blocking the request as "Embedded malicious link", which is true but I don't have a choice. I can open the webpage from where I pull these malicious websites which is not getting blocked.

https://ransomwaretracker.abuse.ch/downloads/TC_DS_URLBL.txt

I can open the page from non proxied host and verified none of them are link embedded.

I tried to create a href and link it within website and not going out to malicious website, still no luck.

What is the good way to mask them and publish?

Karthik
  • 363
  • 2
  • 7
  • 20
  • You could write an empty table from PHP, and add some JavaScript code to send an AJAX request to the txt file url from the client browser, and then populate the table with the lines in the file. Would that help overriding the proxy ban? – macl Sep 16 '16 at 08:04
  • Yes, that's an options. I'm wondering how come a webpage with normal text file passes through. – Karthik Sep 16 '16 at 09:12

1 Answers1

2

The best way to "mask them" for publishing is to do what I like to call 'defanging' them. This is where you write the indicator itself in a way that it will not be considered a malicious link.

Taking an example from the article below, if you have oracle0876634.javaplugin.com as an indicator, you may publish it as oracle0876634[.]javaplugin[.]com. For URLs, it is common to change http:// to hXXp://. Thus, http://google.com (which may be considered an "Embedded malicious link") becomes hXXp://google.com or hXXp://google[.]com (which will not be considered a link)).

Step 3 of this article describes defanging: http://kb.threatconnect.com/customer/en/portal/articles/2090342-analyzing-unstructured-data

Floyd
  • 2,252
  • 19
  • 25