RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
- From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 5 Jan 2005 23:47:29 -0800
Does that also work for ISA 2000?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 9:14 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
>
> http://www.ISAserver.org
>
> Done; http://isatools.org/block_inject.vbs is the script of choice.
> You should see it on ISATools.org also...
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 8:18 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Ain't the HTTP Filter Just The Kewlest Ever?!?
>
> http://www.ISAserver.org
>
>
> I was wandering through my ISA logs (I have no life; I admit it) and I
> discovered a crappy little trick Fandango is using to insert ads into
> your browser (Steve; you reading?):
>
>
>
> http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E%
> 0D%0A%0A%3C%21--
> %0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20n
> ew%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Remo
> te%20ser
> vers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.s
> trNUrl
> %20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0-
> 0%3B
> 0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%25
> 3fhttp%3A//
> m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20n
> ew%20Object%28%29%3B%0AgEbAd.interactions%5B%22_eyeblaster%22%5D%20
> %3D%2
> 0%22ebN%3Dhttp%3A//ad.doubleclick.net/click%253Bh%3Dv3%7C31f4%7C2%7C0
> %7C
> %252a%7Cm%253B12979394%253B0-0%253B0%253B5755652%253B1-
> 468%7C60%253B8301
> 289%7C8319185%7C1%253B%253B%257Esscs%253D%253fhttp%3A//m3.doublecli
> ck.ne
> t%3B%22%3B%0A//--
> %3E%3C/script%3E%3Cscript%20src%3D%27http%3A//ds.servin
> g-sys.com/BurstingScript/ebServing.js%27%3E%3C/script%3E
> <http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E
> %0D%0A%0A%3C%21--
> %0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20
> new%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Rem
> ote%20se
> rvers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.
> strNUr
> l%20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0
> -0%3
> B0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%2
> 53fhttp%3A/
> /m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20
> new%20Objec>
>
>
>
> ..luckily, since I run my own blocking scripts, the HTTP Filter saw the
> "%0D%0A" sequence and said "hell NO!"
>
> "12217 0x80 Blocked by the HTTP Security filter: URL
> contains sequences which are disallowed"
>
>
>
> ..ok; you may ask - what does "%0D%0A " mean to me?
>
> When decoded, "%0A%0D" translates to <CR><LF>; something that should
> NEVER exist in a URL.
>
> There are also other characters that are normally associated with a
> technique called "script injection"; a method whereby the sender tricks
> your browser or server into doing something you'd really rather it
> didn't.
>
> Those characters are shown as "script" and "/script" surrounded by "%3C"
> and "%3E"; "<" and ">", respectively. This is an older (pretty useless,
> too) script injection method.
>
> They also try to obfuscate (developer term used to obfuscate the meaning
> of the conversation) other characters that might trigger filtering
> mechanisms, such as:
>
> "http%3A//" (translates to http://).
>
>
>
> Since none of my current scripts include the "%3Cscript" sequence, I'll
> create another blocking definition and post it.
>
>
> Needless to say, Fandango just made the top of my sh1tlist...
>
>
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
>
>
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts: