Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

javascript that fools thug #45

Closed
evilscheme opened this Issue · 10 comments

2 participants

@evilscheme

Saw this on a landing page, thug did not follow it:

<script type="text/javascript">
    setTimeout("testTime()", 0);
    function testTime() {
        location = "/";
    }
 </script>
@evilscheme

Here's another one that thug doesn't follow.. These are both from live exploit kits so this is far from theoretical ;)

<!DOCTYPE HTML>

@evilscheme

That last one may be due to the fact that there is no content-type being returned:

        "content-type": "",

Maybe that is what is fooling thug?

@buffer buffer was assigned
@buffer buffer referenced this issue from a commit
@buffer Fixed issue #45 33a4e97
@buffer
Owner

Could you please confirm the issues are fixed?

@evilscheme

The 2nd issue still seems to be unresolved. The following link was not followed:

HTTP/1.1 200
Server: Apache
Content-Length: 176
Content-Type:
Last-Modified: Ïò, 29 ìàð 2013 15:25:23 GMT
Accept-Ranges: bytes
Server: nginx/1.2.6
Date: Fri, 29 Mar 2013 15:25:23 GMT
X-Powered-By: PHP/5.4.11

<!DOCTYPE HTML>

@evilscheme

first issue does appear to be resolved, thanks

@buffer
Owner

This sounds quite strange me. Are you seeing a real browser following the redirection? Didn't know location.href could be set to an anchor...

@evilscheme

I haven't been able to confirm with a real browser, so who knows.. this is part of a TDS in front of a mix of pharma spam and SweetOrange EKs though so... there's definitely malicious content on the other side of those links sometimes.

Here are some sample URLs to play with (potentially malicious so be careful of course):

hXXp://buggy-center.by/respect.html
hXXp://sajidmerchant.com/ordinary.html
hXXp://www.dieswaene.com/completely.html
hXXp://triconcompany.com/even.html

@buffer
Owner

I'm going to commit a patch which should solve all the cases. Could you please confirm it works for you too?

@buffer buffer referenced this issue from a commit
@buffer Fixed issue #45 5619fa0
@evilscheme

this page was still treated as a dead-end: <!DOCTYPE HTML><html><head><script type="text/javascript">parent.location.href = "http://sotimex.com/leaf.html";</script></head><body></body></html>

@buffer
Owner

Seems like it works properly here

buffer@saiph ~/thug/src $ python thug.py -l testLocation.html
[2013-04-12 09:54:32] [HREF Redirection (document.location)] Content-Location: about:blank --> Location: http://sotimex.com/leaf.html
[2013-04-12 09:54:32] [window open redirection] about:blank -> http://sotimex.com/leaf.html
[2013-04-12 09:54:45] [HTTP] URL: http://sotimex.com/leaf.html (Status: 400, Referrer: None)
[2013-04-12 09:54:45] Saving log analysis at ../logs/6ec5279d4bbb1e36d39d31a7aee1b18b/20130412095430

@buffer buffer closed this
@buffer buffer added the defect label
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.