Anti Phishing Wizard

Purpose

You can start this application-specific wizard on the Wizards tab when you’ve selected an application in the navigation area.

The Anti Phishing Wizard attempts to detect phishing attacks on the web server of the imitated web application, before they can get any further. This is not an easy task, as phishing is in essence an attack on the user and not on the web server. Nevertheless, you as the operator of a web application can do various things to at least make it harder to carry out phishing attacks.

In phishing, the attacker attempts to direct users of your web application to a website that looks confusingly similar to the genuine site. If the users have entered their data on the phishing site, they will usually be directed from there to your genuine site so that the attack remains undetected for as long as possible. Phishing sites also often directly embed icons, graphics and other content from the genuine site.

This is where the Anti Phishing Wizard comes in: Similar to the Deep Linking Wizard, this wizard attempts to detect the linking of third party websites to your own web application and to initiate counter-measures. This detection can also be carried out dynamically: vWAF only blocks the access once a specific number of requests have occurred.

From a technical point of view, vWAF checks the HTTP refer header of requests using a whitelist, blacklist, Graylist or a combined approach to do this.

For more information regarding Wizards, see Using Wizards to Configure Applications.

Attributes

Attribute Meaning

Referer Whitelist

Here you enter the URLs of the servers that are explicitly allowed to link to your web application.

By default the hosts of the application whose security settings you are currently configuring are already entered. These entries should not be deleted or overwritten as otherwise links within your web application may also be blocked.

For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed .

Use Only the Whitelist

Activate this option if you only want to permit access to your web application if the HTTP referer is one of the entries on the Referer Whitelist .

Blocked Sites

(This attribute can only be configured when the Use Only the Whitelist option has been deactivated.) Here you can specify a blacklist of URLs from which vWAF denies all requests. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed.

Use Graylist

(This attribute can only be configured when the Use Only the Whitelist option has been deactivated.) Activate this option to activate the automatic graylisting. In this case, HTTP referers that do not match either the whitelist or the blacklist are placed on a graylist. If a specific number of access attempts ( Graylist Counter) with this HTTP referer is exceeded within the Graylist Timedelta time interval , vWAF denies additional requests. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed.

Graylist Timedelta

(This attribute can only be configured when the Use Only the Whitelist option has been deactivated and at the same time the option Use Graylist has been activated.) Specify the time span in seconds for the Use Graylist option here.

Graylist Counter

(This attribute can only be configured when the Use Only the Whitelist option has been deactivated and at the same time the option Use Graylist has been activated.) Specify the maximum number of access attempts for the Use Graylist option here.

Deny the Request

Activate this option if you want to deny blocked requests using an HTTP error code 403 (Forbidden). Otherwise, vWAF triggers an HTTP redirect to the page specified under Errorpage URL .

Errorpage URL

(This attribute can only be configured when the Deny the Request option has been deactivated.) Here you can specify an error page to which vWAF forwards the user in the event of a denied request.

Examples:

/error/phishing.html http://www.demosite.com/phishingalarm.html

Handlers configured by the Anti Phishing Wizard

The Anti Phishing Wizard configures the Referer Handler.