-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Handling URL rewrite #27
Comments
At the moment ThePhish is only able to unshorten links that are shortened using some common URL shorteners, it doesn't support URL rewriting for specific platforms like the one you mentioned. However, if you know what are the steps performed during this transformation, it may be trivial to write a function that reverts the process so that it's called before the URL is analyzed. |
For URL Cisco Email Security platform the transformation of URL appears to be like this: Rewritten URL: [https://secure-web.cisco.com/random characters]/[original URL] I believe a Python function like this can be used to revert the URL transformation process:
This function takes a rewritten_url as input and returns the original URL by splitting the rewritten_url into parts using the / character as a separator, then taking the last part (the part after the last /) and replacing %3A with : and %2F with /. I think you can use this function like this:
Which should output:
|
BTW sorry for the slow reply! Happy to help more if I can?! |
AppRiver (formerly ZixCorp) does something similar. It takes a url and puts it in the format of |
My environment passes all email through Cisco Secure Email Security, which will rewrite URLs with a neutral or unknown reputation to redirect them to the Cisco Web Security Proxy for click-time evaluation of their safety.
For those emails which slip through and are reported as suspicious/malicious, I would like to use ThePhish as my analysis and logging platform.
Does ThePhish have a capability to decode these URL rewrites so that the true URL is analyzed ?
The text was updated successfully, but these errors were encountered: