Lab 3: Use Phishing Detection

In this lab, you will add phishing detection to the banking application, then redo the task of adding the phishing site to the high-jacked server, and then view alerts triggered when the phishing site is accessed.

Task 1 - Enable Phishing Detection

  1. Open an incognito window and access the phishing web site at http://bank.vlab.f5demos.com/login.html.

  2. Enter the following credentials and click Login. Username: your first name Password: P@ssw0rd!

  3. Close the phishing page.

  4. In the BIG-IQ Configuration Utility reload the page, then open the Phishing Alerts > Phishing page.

    There are no alerts because this page was copied before a WebSafe profile was added to the virtual server.

  5. In the BIG-IP Configuration Utility, select the login.php from the URL page, and then from the left menu select Phishing Detection.

When you created the WebSafe profile, phishing detection was enabled by default.

Task 2 - Detect Phishing of a Web Site

  1. From the desktop open the Phishing directory and delete the two files you created earlier.

  2. In the banking tab click the Bank bookmark, then right-click inside the page and select Save as.

  3. Name the file login.html, ensure that Webpage, Complete is selected and that you’re saving into the Phishing directory and click Save, and then close the banking tab.

  4. Open WinSCP.

  5. Change the File protocol to SCP, for Host name type 10.1.1.252, and log in as root / default.

  6. In the left panel for the Windows workstation, navigate to the desktop and open the Phishing directory.

  7. In the right panel for the web server, navigate to var/www/dvwa.

  8. Delete the two files currently in the dvwa directory.

  9. Select the new login.html and login_files and copy them to the dvwa directory.

  10. Open a new incognito window and access http://bank.vlab.f5demos.com/login.html.

  11. Attempt to log in as bobsmith / P@ssw0rd1, and then close Chrome.

  12. In the BIG-IQ Configuration Utility reload the page, then open the Phishing Alerts > Phishing page, and then expand the bank.vlab.f5demos.com alert.

    A Copied Pages alert was generated, and in addition a Phishing Users alert was generated for user bobsmith.

  13. Click Copied Pages and view the Domain and the Additional Info.

The fake domain name is bank.vlab.f5demos.com and the original page is https://bank.vlab.f5demo.com/login.php.

Task 3 - Use JavaScript Removal Detection

  1. In WinSCP, in the dvwa directory, right-click login.html and select Edit.

  2. Click on the find (binoculars) button and type <script and click Find Next several times to locate all scripts in the page.

    There are three script entries added by WebSafe.

  3. Select and delete everything from the first <script type=”text/javascript” src=…> tag to its closing </script> tag.

    image20

  4. Select and delete everything from the next <script type=”text/javascript”> tag to its closing </script> tag (right before the <style> tag near the end of the same line).

    image21

  5. Select and delete everything from the final <script type=”text/javascript”> tag to its closing </script> tag (right before the <img home= > tag).

  6. When you’re done, your code should resemble the following:

    image22

  7. Save and close the login.html file.

  8. Open a new incognito window and access http://bank.vlab.f5demos.com/login.html and attempt to log in as bobsmith / P@ssw0rd1, and then close Chrome.

Notice the page still displays as expected.

  1. In the BIG-IQ Configuration Utility reload the page, then open the Phishing Alerts > Advanced Phishing page, and then expand the bank.vlab.f5demos.com alert.

    Although the hacker removed the JavaScript, a CSS Check alert and an Image Check alert was issued.

  2. Close WinSCP.