RE: Ain't the HTTP Filter Just The Kewlest Ever?!?

• From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 5 Jan 2005 23:47:29 -0800

Does that also work for ISA 2000?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 9:14 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
> 
> http://www.ISAserver.org
> 
> Done; http://isatools.org/block_inject.vbs is the script of choice.
> You should see it on ISATools.org also...
> 
>   Jim Harrison
>   MCP(NT4, W2K), A+, Network+, PCG
>   http://isaserver.org/Jim_Harrison/
>   http://isatools.org
>   Read the help / books / articles!
> 
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 8:18 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Ain't the HTTP Filter Just The Kewlest Ever?!?
> 
> http://www.ISAserver.org
> 
> 
> I was wandering through my ISA logs (I have no life; I admit it) and I
> discovered a crappy little trick Fandango is using to insert ads into
> your browser (Steve; you reading?):
> 
> 
> 
> http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E%
> 0D%0A%0A%3C%21--
> %0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20n
> ew%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Remo
> te%20ser
> vers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.s
> trNUrl
> %20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0-
> 0%3B
> 0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%25
> 3fhttp%3A//
> m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20n
> ew%20Object%28%29%3B%0AgEbAd.interactions%5B%22_eyeblaster%22%5D%20
> %3D%2
> 0%22ebN%3Dhttp%3A//ad.doubleclick.net/click%253Bh%3Dv3%7C31f4%7C2%7C0
> %7C
> %252a%7Cm%253B12979394%253B0-0%253B0%253B5755652%253B1-
> 468%7C60%253B8301
> 289%7C8319185%7C1%253B%253B%257Esscs%253D%253fhttp%3A//m3.doublecli
> ck.ne
> t%3B%22%3B%0A//--
> %3E%3C/script%3E%3Cscript%20src%3D%27http%3A//ds.servin
> g-sys.com/BurstingScript/ebServing.js%27%3E%3C/script%3E
> <http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E
> %0D%0A%0A%3C%21--
> %0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20
> new%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Rem
> ote%20se
> rvers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.
> strNUr
> l%20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0
> -0%3
> B0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%2
> 53fhttp%3A/
> /m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20
> new%20Objec>
> 
> 
> 
> ..luckily, since I run my own blocking scripts, the HTTP Filter saw the
> "%0D%0A" sequence and said "hell NO!"
> 
>             "12217 0x80     Blocked by the HTTP Security filter: URL
> contains sequences which are disallowed"
> 
> 
> 
> ..ok; you may ask - what does "%0D%0A " mean to me?
> 
> When decoded, "%0A%0D" translates to <CR><LF>; something that should
> NEVER exist in a URL.
> 
> There are also other characters that are normally associated with a
> technique called "script injection"; a method whereby the sender tricks
> your browser or server into doing something you'd really rather it
> didn't.
> 
> Those characters are shown as "script" and "/script" surrounded by "%3C"
> and "%3E"; "<" and ">", respectively.  This is an older (pretty useless,
> too) script injection method.
> 
> They also try to obfuscate (developer term used to obfuscate the meaning
> of the conversation) other characters that might trigger filtering
> mechanisms, such as:
> 
> "http%3A//" (translates to http://).
> 
> 
> 
> Since none of my current scripts include the "%3Cscript" sequence, I'll
> create another blocking definition and post it.
> 
> 
> Needless to say, Fandango just made the top of my sh1tlist...
> 
> 
> 
>   Jim Harrison
>   MCP(NT4, W2K), A+, Network+, PCG
>   http://isaserver.org/Jim_Harrison/
>   http://isatools.org
>   Read the help / books / articles!
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?
• » RE: Ain't the HTTP Filter Just The Kewlest Ever?!?

1. Home
2. isalist
3. Archive
4. 01-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---