From: LSTM RNN: detecting exploit kits using redirection chain sequences
Category | Type | Example |
---|---|---|
Header | Referrer | referrer field holds source, and host field holds destination URL |
Header | Location | host field holds source, and location field holds destination URL |
Content | HTML | http-equiv=~Refresh~ url=~< url>~ and form |a|p|img src=~< url>~ |
Content | JavaScript | window |document(.location |.open)?.href |hostname|replace|assign|write |
Content | iFrame | < iframe src=~http://evil.com~></iframe> |
Content | Base64 | window.cback(‘aHR0cDovL2V2aWwuY29tL2V4cGxvaXQvZXhwbG9pdC5waHA=’); |
Content | Concatenation | var a = ~http://~ + ‘evil’ + ~.com~; window.href=a; |
Content | Unknown | URL found in page content and subsequently visited, no verifiable source |
Relational | Subdomain | URL shares domain with recently accessed URL, no other identifiable source |