Recipe 6-4: Detecting Page Title Changes
This recipe demonstrates how to monitor for web page title changes.
Ingredients
- ModSecurity
- Lua API
- appsensor_response_profile.lua
- appsensor_response_enforce.lua
- Lua API
By monitoring the HTML <title> tag data in web response pages, you can detect when attackers have successfully defaced a page by overwriting the legitimate page with an unauthorized version. For instance, let’s look at the raw HTML from the top of a typical Joomla login page:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb"
lang="en-gb" >
<head>
<meta http-equiv="content-type" content="text/html;
charset=utf-8" />
<meta name="robots" content="index, follow" />
<meta name="keywords" content="joomla, Joomla" />
<meta name="description" content="Joomla! - the dynamic portal
engine and content management system" />
<meta name="generator" content="Joomla! 1.5 - Open Source Content
Management" />
<title>Login</title>
<link href="/joomla/templates/rhuk_milkyway/favicon.ico"
rel="shortcut icon" type="image/x-icon" />The piece of data we are focusing on for this recipe is the bold <title> tag data, which shows that the title of this page is simply “Login.” Now, imagine that your Joomla login page somehow becomes defaced and is replaced with a new page, as shown in Figure 6-1.
The raw HTML for the beginning of this page looks like this:
<html dir="rtl"> ...Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
