December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 6-4: Detecting Page Title Changes
This recipe demonstrates how to monitor for web page title changes.
Ingredients
- ModSecurity
- Lua API
- appsensor_response_profile.lua
- appsensor_response_enforce.lua
- Lua API
By monitoring the HTML <title> tag data in web response pages, you can detect when attackers have successfully defaced a page by overwriting the legitimate page with an unauthorized version. For instance, let’s look at the raw HTML from the top of a typical Joomla login page:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb"
lang="en-gb" >
<head>
<meta http-equiv="content-type" content="text/html;
charset=utf-8" />
<meta name="robots" content="index, follow" />
<meta name="keywords" content="joomla, Joomla" />
<meta name="description" content="Joomla! - the dynamic portal
engine and content management system" />
<meta name="generator" content="Joomla! 1.5 - Open Source Content
Management" />
<title>Login</title>
<link href="/joomla/templates/rhuk_milkyway/favicon.ico"
rel="shortcut icon" type="image/x-icon" />The piece of data we are focusing on for this recipe is the bold <title> tag data, which shows that the title of this page is simply “Login.” Now, imagine that your Joomla login page somehow becomes defaced and is replaced with a new page, as shown in Figure 6-1.
The raw HTML for the beginning of this page looks like this:
<html dir="rtl"> ...