JezuzFreakinKeerist! I really hate web designers that can't (or won't) read RFC's. The codes that are being filtered are "%3C" & "%3E", which resolve to "<" & ">", respectively. The fun thing in this querystring is that they don't "bracket" anything! This URL actually ends up being: http://www.consumerreports.org/main/redirect/content.jsp?FOLDER<>fol der_id=333149&ASSORTMENT<>ast_id=333149&CONTENT<>cnt_id=34835&bm UID=1117743747778&PATH=/media/content/Categories/CarsTrucks/Reports/0306 car0.html .. it contains three instances of "<>", which the "inject" filter will trigger on. These characters appear to be "terminator" flags; something the lowly semicolon was designed to do, according to RFC-2616. -----Original Message----- From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] Sent: Thursday, June 02, 2005 1:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Ain't the HTTP Filter Just The Kewlest Ever?!? http://www.ISAserver.org Other than disabling the block_inject filters, or create a web access rule without the block_inject filter for legitimate sites, is there away to allow the following url? http://www.consumerreports.org/main/redirect/content.jsp?FOLDER%3C%3Efol der_id=333149&ASSORTMENT%3C%3East_id=333149&CONTENT%3C%3Ecnt_id=34835&bm UID=1117743747778&PATH=/media/content/Categories/CarsTrucks/Reports/0306 car0.html -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, January 06, 2005 6:57 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Ain't the HTTP Filter Just The Kewlest Ever?!? http://www.ISAserver.org Hi John, Unfortunately, the 2000 version doesn't as robustly filter outbound HTTP communications. Tom -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, January 06, 2005 1:47 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Ain't the HTTP Filter Just The Kewlest Ever?!? http://www.ISAserver.org Does that also work for ISA 2000? John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Wednesday, January 05, 2005 9:14 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Ain't the HTTP Filter Just The Kewlest Ever?!? > > http://www.ISAserver.org > > Done; http://isatools.org/block_inject.vbs is the script of choice. > You should see it on ISATools.org also... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Wednesday, January 05, 2005 8:18 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Ain't the HTTP Filter Just The Kewlest Ever?!? > > http://www.ISAserver.org > > > I was wandering through my ISA logs (I have no life; I admit it) and I > discovered a crappy little trick Fandango is using to insert ads into > your browser (Steve; you reading?): > > > > http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3 > E% > 0D%0A%0A%3C%21-- > %0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20n > ew%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Remo > te%20ser > vers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.s > trNUrl > %20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0- > 0%3B > 0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%25 > 3fhttp%3A// > m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%2 > 0n ew%20Object%28%29%3B%0AgEbAd.interactions%5B%22_eyeblaster%22%5D%20 > %3D%2 > 0%22ebN%3Dhttp%3A//ad.doubleclick.net/click%253Bh%3Dv3%7C31f4%7C2%7C0 > %7C > %252a%7Cm%253B12979394%253B0-0%253B0%253B5755652%253B1- > 468%7C60%253B8301 > 289%7C8319185%7C1%253B%253B%257Esscs%253D%253fhttp%3A//m3.doublecli > ck.ne > t%3B%22%3B%0A//-- > %3E%3C/script%3E%3Cscript%20src%3D%27http%3A//ds.servin > g-sys.com/BurstingScript/ebServing.js%27%3E%3C/script%3E > <http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript% > 3E > %0D%0A%0A%3C%21-- > %0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20 > new%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Rem > ote%20se > rvers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS. > strNUr > l%20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0 > -0%3 > B0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%2 > 53fhttp%3A/ > /m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D% > 20 > new%20Objec> > > > > ..luckily, since I run my own blocking scripts, the HTTP Filter saw > the "%0D%0A" sequence and said "hell NO!" > > "12217 0x80 Blocked by the HTTP Security filter: URL > contains sequences which are disallowed" > > > > ..ok; you may ask - what does "%0D%0A " mean to me? > > When decoded, "%0A%0D" translates to <CR><LF>; something that should > NEVER exist in a URL. > > There are also other characters that are normally associated with a > technique called "script injection"; a method whereby the sender > tricks your browser or server into doing something you'd really rather > it didn't. > > Those characters are shown as "script" and "/script" surrounded by "%3C" > and "%3E"; "<" and ">", respectively. This is an older (pretty > useless, > too) script injection method. > > They also try to obfuscate (developer term used to obfuscate the > meaning of the conversation) other characters that might trigger > filtering mechanisms, such as: > > "http%3A//" (translates to http://). > > > > Since none of my current scripts include the "%3Cscript" sequence, > I'll create another blocking definition and post it. > > > Needless to say, Fandango just made the top of my sh1tlist... > > > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > All mail to and from this domain is GFI-scanned.