Ain't the HTTP Filter Just The Kewlest Ever?!?

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 5 Jan 2005 20:18:17 -0800

I was wandering through my ISA logs (I have no life; I admit it) and I
discovered a crappy little trick Fandango is using to insert ads into
your browser (Steve; you reading?):

 

http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E%
0D%0A%0A%3C%21--%0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20n
ew%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Remote%20ser
vers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.strNUrl
%20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0-0%3B
0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%253fhttp%3A//
m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20n
ew%20Object%28%29%3B%0AgEbAd.interactions%5B%22_eyeblaster%22%5D%20%3D%2
0%22ebN%3Dhttp%3A//ad.doubleclick.net/click%253Bh%3Dv3%7C31f4%7C2%7C0%7C
%252a%7Cm%253B12979394%253B0-0%253B0%253B5755652%253B1-468%7C60%253B8301
289%7C8319185%7C1%253B%253B%257Esscs%253D%253fhttp%3A//m3.doubleclick.ne
t%3B%22%3B%0A//--%3E%3C/script%3E%3Cscript%20src%3D%27http%3A//ds.servin
g-sys.com/BurstingScript/ebServing.js%27%3E%3C/script%3E
<http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E
%0D%0A%0A%3C%21--%0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20
new%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Remote%20se
rvers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.strNUr
l%20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0-0%3
B0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%253fhttp%3A/
/m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20
new%20Objec> 

 

..luckily, since I run my own blocking scripts, the HTTP Filter saw the
"%0D%0A" sequence and said "hell NO!"

            "12217 0x80     Blocked by the HTTP Security filter: URL
contains sequences which are disallowed"

 

..ok; you may ask - what does "%0D%0A " mean to me?

When decoded, "%0A%0D" translates to <CR><LF>; something that should
NEVER exist in a URL.

There are also other characters that are normally associated with a
technique called "script injection"; a method whereby the sender tricks
your browser or server into doing something you'd really rather it
didn't.

Those characters are shown as "script" and "/script" surrounded by "%3C"
and "%3E"; "<" and ">", respectively.  This is an older (pretty useless,
too) script injection method.

They also try to obfuscate (developer term used to obfuscate the meaning
of the conversation) other characters that might trigger filtering
mechanisms, such as:

"http%3A//" (translates to http://).

 

Since none of my current scripts include the "%3Cscript" sequence, I'll
create another blocking definition and post it.


Needless to say, Fandango just made the top of my sh1tlist...

 

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

 

 

 


All mail to and from this domain is GFI-scanned.

Other related posts: