javascript that fools thug #45

Closed
evilscheme opened this Issue Mar 26, 2013 · 10 comments

Comments

Projects
None yet
2 participants
Contributor

evilscheme commented Mar 26, 2013

Saw this on a landing page, thug did not follow it:

<script type="text/javascript">
    setTimeout("testTime()", 0);
    function testTime() {
        location = "/";
    }
 </script>
Contributor

evilscheme commented Mar 28, 2013

Here's another one that thug doesn't follow.. These are both from live exploit kits so this is far from theoretical ;)

<script type="text/javascript">parent.location.href = "http://worldcruiseholiday.[IPUTTHISHERETODEFANGTHEURL]co.th/wind.html";</script>
Contributor

evilscheme commented Mar 28, 2013

That last one may be due to the fact that there is no content-type being returned:

        "content-type": "",

Maybe that is what is fooling thug?

@ghost ghost assigned buffer Mar 28, 2013

buffer added a commit that referenced this issue Mar 29, 2013

Owner

buffer commented Mar 29, 2013

Could you please confirm the issues are fixed?

Contributor

evilscheme commented Mar 29, 2013

The 2nd issue still seems to be unresolved. The following link was not followed:

HTTP/1.1 200
Server: Apache
Content-Length: 176
Content-Type:
Last-Modified: Ïò, 29 ìàð 2013 15:25:23 GMT
Accept-Ranges: bytes
Server: nginx/1.2.6
Date: Fri, 29 Mar 2013 15:25:23 GMT
X-Powered-By: PHP/5.4.11

<script type="text/javascript">parent.location.href = "http://www.apprendimentopermanentescalea.it/happily.html";</script>
Contributor

evilscheme commented Mar 29, 2013

first issue does appear to be resolved, thanks

Owner

buffer commented Mar 29, 2013

This sounds quite strange me. Are you seeing a real browser following the redirection? Didn't know location.href could be set to an anchor...

Contributor

evilscheme commented Mar 29, 2013

I haven't been able to confirm with a real browser, so who knows.. this is part of a TDS in front of a mix of pharma spam and SweetOrange EKs though so... there's definitely malicious content on the other side of those links sometimes.

Here are some sample URLs to play with (potentially malicious so be careful of course):

hXXp://buggy-center.by/respect.html
hXXp://sajidmerchant.com/ordinary.html
hXXp://www.dieswaene.com/completely.html
hXXp://triconcompany.com/even.html

Owner

buffer commented Apr 11, 2013

I'm going to commit a patch which should solve all the cases. Could you please confirm it works for you too?

buffer added a commit that referenced this issue Apr 11, 2013

Contributor

evilscheme commented Apr 11, 2013

this page was still treated as a dead-end: <!DOCTYPE HTML><html><head><script type="text/javascript">parent.location.href = "http://sotimex.com/leaf.html";</script></head><body></body></html>

Owner

buffer commented Apr 12, 2013

Seems like it works properly here

buffer@saiph ~/thug/src $ python thug.py -l testLocation.html
[2013-04-12 09:54:32] [HREF Redirection (document.location)] Content-Location: about:blank --> Location: http://sotimex.com/leaf.html
[2013-04-12 09:54:32] [window open redirection] about:blank -> http://sotimex.com/leaf.html
[2013-04-12 09:54:45] [HTTP] URL: http://sotimex.com/leaf.html (Status: 400, Referrer: None)
[2013-04-12 09:54:45] Saving log analysis at ../logs/6ec5279d4bbb1e36d39d31a7aee1b18b/20130412095430

@buffer buffer closed this Apr 19, 2013

@buffer buffer added the defect label Sep 1, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment