This is server for PhishermansFiend chrome extension.
Research about the phishing can be found here https://github.com/WallDev/PhishermansFiendExtension
The server is part of http://github.com/WallDev/PhisermansFiendExtension project. Written on golang and prepared for go 1.8 with it's plugin support the server is very fast and reliable. It can run lots of checks in paralel at very low overhead cost as goroutines are very cheap.
main.go- an entry point to application. It sets up handlers and waiting for connection.handlers.go- a handlers collection, provides views to the applicationcheckers.go- checks conection and utilities functions. After go 1.8 release should be separated to plugins and helpers. Currently 2 checks exists, one levenshtein distance counter to find malicious links and the other dummy checker which hangs for random time to simulate lag and return random result for debugging.danger.tmpl- a template for page that shown when extension redirects due to phishing website
- Before browser makes a request to the domain that user asked for, extension sends request to the server and it checks the domain with whitelist and if not found in blacklist.
- If the domain is not whitelisted or blacklisted - starts checks on the website that the user requested and responding to extension to load the website.
- Extension unblock the original request and allows browser to load the website while disabling all input method on the page to not to allow user to input data into non-checked website
- While the server is running the checks the extensions runs it own set of checks on client side. This checks are lightweight and should not produce lag unlike the possibly long running checks on server. Currently implemented checks are:
- Checks the server have real domain name. If this is an IP address responde with high severity. Ignored addresses are those that begin with
192.168and127.0.0.1. - Checks the urls on site for dangerous matches.
- Checks the amount of url that leading outbound, if there are too many of them mark the website with medium severity.
- Extension polling the server for when checks finish. As soon as server returns response with final result the extension takes corresponding actions:
- If the website is marked as WHITE then all the inputs are re-enabled and user allowed to proceed
- If the website is marked as GREY then the extension allows user to use the site but inverting all the colors of the page and showing topbar explaining that this website might be dangerous and advices to proceed with care. This notification is clickable and click on it will revert everything to normal state.
- If the website is marked as RED then extension redirects user to special page explaining the website is dangerous and blocked to use.
- There is no need in separate API to report hit. As while server running the check it has the url of the website hitted. According to the result server itself can add hits or misses to database. Currently implemented as simple log to stout
- Current server setup is for testing and debugging. For whitelisting it has only:
google.com
facebook.com
localhost
chrome.com
For blacklistion only gooogle.com is available. Every other website is checked with random results and might be marked as any severity.
- While "danger" page is featuring "report" of wrongly marked red website - it does not implement it as entire application is not connected to database at this moment.
For extension documentation please look here