mirror of https://github.com/captn3m0/js-guard.git
1702 lines
72 KiB
JavaScript
1702 lines
72 KiB
JavaScript
|
/*
|
||
|
Copyright (c) 2009-2010 C-DAC
|
||
|
All Rights Reserved
|
||
|
|
||
|
Developed by:
|
||
|
C-DAC Hyderabad
|
||
|
|
||
|
Project:
|
||
|
MPS-II
|
||
|
|
||
|
Module Name:
|
||
|
dD.js
|
||
|
************ Module for
|
||
|
i. accesing user requested webpage and monitor for vulnerable tags & javascript injections
|
||
|
ii. injecting a script into webpage to acess javascript functions & its arguments and check for maliciousness ***********************************************************************************************/
|
||
|
|
||
|
//To get full URL
|
||
|
var fullurl=window.location.href;
|
||
|
//only proto
|
||
|
var proto=location.protocol;
|
||
|
|
||
|
var score_ifd=0,score_w=0,score_ev=0,score_sh=0,score_req=0,score=0,shellp1=[],docWrite1=[],re1=[],req1=[],reqq1=[],alertt2=[],alertt3=[];//create global arrays to store the parameters of dynamic functions
|
||
|
|
||
|
/*
|
||
|
* Calling handy injection function for injecting the variables into the webpage
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
addJS_Node ("var count=0,shellp=[],docWrite=[],re=[],req=[],reqq=[],alert2=[],alert3=[],al2='';");// create local arrays
|
||
|
|
||
|
/*
|
||
|
* Creating hook to document.create and document.write for obtaining the
|
||
|
* parameters of the respective methods
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
function LogDocCreateElement ()
|
||
|
{
|
||
|
var host1=document.location.hostname;
|
||
|
|
||
|
try{
|
||
|
var oldDocumentCreateElement = document.createElement;
|
||
|
document.createElement = function(tagName)
|
||
|
{
|
||
|
var elem = oldDocumentCreateElement.apply (document, arguments);
|
||
|
|
||
|
if (tagName === "script"){
|
||
|
getScriptAttributes (elem, tagName); //Identifying the attributes of suspicious tags
|
||
|
}
|
||
|
if (tagName === "iframe"){
|
||
|
getScriptAttributes (elem, tagName);
|
||
|
}
|
||
|
if (tagName === "a"){
|
||
|
getScriptAttributes (elem, tagName);
|
||
|
}
|
||
|
if (tagName === "link"){
|
||
|
getScriptAttributes (elem, tagName);
|
||
|
}
|
||
|
return elem;
|
||
|
}
|
||
|
|
||
|
//Creating hook to document.write to obtain the parameters of the method
|
||
|
var oldDocumentWrite = document.write;
|
||
|
document.write = function (str)
|
||
|
{
|
||
|
var host1=document.location.hostname;
|
||
|
var elem1 = oldDocumentWrite.apply (document,arguments);
|
||
|
/*
|
||
|
* Filling the content of doc.write into the docWrite array variable
|
||
|
* which is already injected into the webpage
|
||
|
*/
|
||
|
docWrite.push(str);
|
||
|
if(str.length > 20){
|
||
|
encodeJs(str); // verifying the existance of encoded JS
|
||
|
nonPrint(str); //verifying the presence of shellcode;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Checking whether any tags are created through doc.write content
|
||
|
* Uses DOM parser for converting string into DOM format
|
||
|
* @type DOMParser
|
||
|
*/
|
||
|
var parser = new DOMParser();
|
||
|
var div = parser.parseFromString(str, "text/html");
|
||
|
|
||
|
//Verifying the presence of suspicious tags
|
||
|
var tagifr=div.getElementsByTagName("iframe");
|
||
|
var tagsc=div.getElementsByTagName("script");
|
||
|
//iframe properties
|
||
|
if(tagifr.length>0){
|
||
|
/* ---- Retrieving the attributes of the iframe tag ---- */
|
||
|
for(var j=0;j<tagifr.length;j++)
|
||
|
{
|
||
|
|
||
|
if(tagifr[j].src){
|
||
|
var x,y,styl,src,ext;
|
||
|
x=tagifr[j].height; // height
|
||
|
y=tagifr[j].width; // width
|
||
|
styl=tagifr[j].style;
|
||
|
src=tagifr[j].src;
|
||
|
if(x || y || styl)
|
||
|
{
|
||
|
if(x)
|
||
|
{
|
||
|
if(x.match(/px/gi))
|
||
|
{
|
||
|
ext = x.substring(0, x.length-2);
|
||
|
if(ext < 3)
|
||
|
{
|
||
|
domainmatch(src);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
else if(x<3)
|
||
|
{
|
||
|
domainmatch(src);
|
||
|
}
|
||
|
}
|
||
|
else if(y)
|
||
|
{
|
||
|
if(y.match(/px/gi))
|
||
|
{
|
||
|
ext = y.substring(0, y.length-2);
|
||
|
if(ext < 3)
|
||
|
{
|
||
|
domainmatch(src);
|
||
|
}
|
||
|
}
|
||
|
else if(y<3)
|
||
|
{
|
||
|
domainmatch(src);
|
||
|
}
|
||
|
}
|
||
|
else if(styl)
|
||
|
{
|
||
|
var str,d=0;
|
||
|
if(String(styl).match(/;/))
|
||
|
{
|
||
|
var arr_str = String(styl).split(";");
|
||
|
while(d < arr_str.length){
|
||
|
str = arr_str[d].split(":");
|
||
|
if(str[0] === "height" || str[0] === "width"){
|
||
|
var ext = str[1].substring(0, str[1].length-2);
|
||
|
if(ext < 3){
|
||
|
domainmatch(src);
|
||
|
}
|
||
|
}
|
||
|
else if(str[0] === "left" || str[0] === "right" || str[0] === "top" || str[0] === "bottom"){
|
||
|
var ext = str[1].substring(0, str[1].length-2);
|
||
|
if(ext < -99){
|
||
|
domainmatch(src);
|
||
|
}
|
||
|
}
|
||
|
else if(str[0] === "visibility" || str[0] === "display"){
|
||
|
if(str[1].match(/hidden/gi) || str[1].match(/none/gi)){
|
||
|
domainmatch(src);
|
||
|
}
|
||
|
}
|
||
|
d++;
|
||
|
}
|
||
|
}
|
||
|
else if(String(styl).match(/:/))
|
||
|
{
|
||
|
str = String(styl).split(":");
|
||
|
if(str[0] === "visibility" || str[0] === "display"){
|
||
|
if(str[1].match(/hidden/gi) || str[1].match(/none/gi)){
|
||
|
domainmatch(src);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
}
|
||
|
}
|
||
|
/*
|
||
|
* Monitoring the Script tag creating through doc.write
|
||
|
*/
|
||
|
if(tagsc.length>0)
|
||
|
{
|
||
|
for(var m=0;m<tagsc.length;m++)
|
||
|
{
|
||
|
if(tagsc[m].src)
|
||
|
{
|
||
|
var flag1=0,srcc1, srcc, src2, patt2=/.js/g ;
|
||
|
var TLDS = new Array(/com/gi, /net/gi, /in/gi);
|
||
|
var myvar = tagsc[m].src;
|
||
|
srcc1=myvar.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
|
||
|
var parts = srcc1.split('.');
|
||
|
var srcc = parts.slice(-1).join('.');
|
||
|
// filtered com/in/net sites to reduce false positives
|
||
|
/* for(var k=0;k<TLDS.length;k++)
|
||
|
{
|
||
|
if(srcc.match(TLDS[k]) !== null){
|
||
|
flag1=1;
|
||
|
}
|
||
|
}*/ // commented bcoz anyway we r cross verifying with gsb
|
||
|
/*
|
||
|
* Finding Redirectors in Script tag if the domain name
|
||
|
* does not belongs to TLDS array patterns
|
||
|
*/
|
||
|
if(host1.match(srcc1) === null && srcc1.match(host1) === null && flag1 === 0 && !re.length){
|
||
|
//if((host1.match(srcc1) === null && myvar.match(host1) === null) && tagsc[m].src.match(host1) === null && flag1 === 0 && !re.length){
|
||
|
var talert1="";
|
||
|
if(tagsc[m].src.match(patt2) !== null){
|
||
|
if(tagsc[m].src.match("\\.js.php")!==null || tagsc[m].src.match("\\.php.js")!==null || tagsc[m].src.match("jquery.min.php")!==null){
|
||
|
src2='Evil URL(s) ::<br> '+srcc1;
|
||
|
talert1 += "\n"+srcc1;
|
||
|
re.push('Threat:: Malicious JS Redirector<br>'+src2);
|
||
|
req.push('<b>Malicious JS:Redirector</b><br>'+src2);
|
||
|
}
|
||
|
}
|
||
|
//checking for non js(php/asp) pattern
|
||
|
else {
|
||
|
if(tagsc[m].src.match("\\.php")!==null ){
|
||
|
src2='Evil URL is ::: '+srcc1;
|
||
|
talert1 += "\n"+srcc1;
|
||
|
re.push('Threat:: Malicious JS Redirector<br>'+src2);
|
||
|
req.push('<b>Malicious JS Redirector</b><br>'+src2);
|
||
|
}
|
||
|
}
|
||
|
sessionStorage.setItem("alertsc1", JSON.stringify(talert1));
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}//if
|
||
|
return elem1;
|
||
|
}
|
||
|
}//try
|
||
|
catch(err)
|
||
|
{
|
||
|
//alert("error");
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Detecting Encoded JavaScript in the content of the doc.write
|
||
|
* @param {type} text
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
function encodeJs(text)
|
||
|
{
|
||
|
|
||
|
var scriptstring = text.replace(/(\r\n|\n|\r)/gm,""); //convert the innerHTML to one line, easier to match
|
||
|
if(scriptstring.length>250){
|
||
|
/*dividing into lines, then words, then word size*/
|
||
|
var words;
|
||
|
var lines = scriptstring.split(";");
|
||
|
for(var m = 0; (lines !== null) && (m<lines.length); m++) {
|
||
|
words = lines[m].split(" ");
|
||
|
for(var k = 0; (words !== null) && (k<words.length); k++) {
|
||
|
if(words[k].length > 5000){
|
||
|
shellp.push("Wdyn: 1 ");
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// pecentage of digits in each script
|
||
|
var indScriptLength = scriptstring.length;
|
||
|
var indNumLength = scriptstring.replace(/\D/g, '').length;
|
||
|
var inddigitdensity=((indNumLength*100)/indScriptLength);
|
||
|
if(((indNumLength*100)/indScriptLength) > 30){
|
||
|
shellp.push("IDDdyn: 1 ");
|
||
|
}
|
||
|
|
||
|
/* n-gram for individual script*/
|
||
|
var specialChars = new Array (/%/g,/$/g,/</g,/>/g,/@/g,/!/g,/#/g,/^/g,/&/g,/\*/g,/\(/g,/\)/g,/_/g,/\+/g,/\[/g,/\]/g,/\{/g,/\}/g,/\?/g,/:/g,/;/g,/'/g,/"/g,/,/g,/\./g,/\//g,/~/g,/\`/g,/-/g,/=/g,/\\/g);
|
||
|
var totalnumbersc=0, encodenumbers=0, encodedanddigitnumbers=0;
|
||
|
for(var n = 0; n < specialChars.length;n++){
|
||
|
if(scriptstring.match(specialChars[n])){
|
||
|
totalnumbersc +=scriptstring.match(specialChars[n]).length;
|
||
|
if(n==0 || n== 4 || n == 5 || n==12 || n ==22 || n==23)
|
||
|
{
|
||
|
encodenumbers +=scriptstring.match(specialChars[n]).length;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
encodedanddigitnumbers=(indNumLength) + (encodenumbers);
|
||
|
indspdensity=(encodedanddigitnumbers*100)/scriptstring.length;
|
||
|
if(indspdensity > 50){
|
||
|
// shellp.push("ISPdyn: 1 ");
|
||
|
var scriptstringN = scriptstring.replace(/[^a-zA-Z]/g,'');
|
||
|
if((scriptstringN.match(/unescape/g) || scriptstringN.match(/fromCharCode/g)) && !alert3){
|
||
|
alert3.push("Threat:: Encoded JavaScript Malware</n>");
|
||
|
shellp.push("Threat:: Encoded JavaScript Malware"+"<br>"+"Malicious content is:: " +scriptstring);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Detecting Non printable characters or shellcode in the content of doc.write
|
||
|
* @param {type} text
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
function nonPrint(text)
|
||
|
{
|
||
|
var pat=/[^\x00-\x80]+/g;//Regex for checking non-printable characters
|
||
|
if(pat.test(text))
|
||
|
{
|
||
|
shellp.push("Non Printable characters are present\n");
|
||
|
shellp.push(text);
|
||
|
}
|
||
|
var r = new RegExp("^[a-f0-9]+$", 'i');//regex for identifying consecutive Hexadecimal characters in a string
|
||
|
if(r.test(text))
|
||
|
{
|
||
|
shellp.push("consecutive block of hexadecimal characters\n");
|
||
|
shellp.push(text);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Cross verify the source of the hidden iframe property with the host name
|
||
|
* of the original URL and if it does not belongs to the same origin then
|
||
|
* alerts the user
|
||
|
* @param {type} src
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
function domainmatch(src)
|
||
|
{
|
||
|
/* //whitelist, 3rd party advertising sites and tracking sites*/
|
||
|
|
||
|
var whitelist = new Array (/about:blank/gi,/blank.html/gi,/wp/gi,/*/google/gi ,*//facebook/gi ,/youtube/gi ,/quantserve/gi ,/vizury/gi , /Media/gi , /33across/gi , /AOLAdvertising/gi , /AWeber/gi , /Acerno/gi , /AcxiomRelevance-X/gi , /AdLegend/gi , /AdMeld/gi , /AdNexus/gi , /AdSafe/gi , /AdShuffle/gi , /AdTech/gi , /Adap.TV/gi , /AdaptiveBlueSmartlinks/gi , /AdaraMedia/gi , /Adblade/gi , /Adbrite/gi , /Adcentric/gi , /Adconion/gi , /AddThis/gi , /AddToAny/gi , /Adify/gi , /Adition/gi , /Adjuggler/gi , /AdnetInteractive/gi , /Adnetik/gi , /Adreactor/gi , /Adrolays/gi , /Adroll/gi , /Advertise.com/gi , /Advertising.com/gi , /Adxpose/gi , /Adzerk/gi ,/affinity/gi , /AggregateKnowledge/gi , /AlexaMetrics/gi , /AlmondNet/gi , /Aperture/gi , /BTBuckets/gi , /Baynote/gi , /Bing/gi , /Bizo/gi , /BlogRollr/gi , /Blogads/gi , /BlueKai/gi , /BlueLithium/gi , /BrandReach/gi , /BrightTag/gi , /Brightcove/gi , /Brightroll/gi , /Brilig/gi , /BurstMedia/gi , /BuySellAds/gi , /CNETTracking/gi , /CPXInteractive/gi , /CasaleMedia/gi , /CedexisRadar/gi , /CertonaResonance/gi , /Chango/gi , /ChannelAdvisor/gi , /ChartBeat/gi , /Checkm8/gi , /Chitika/gi , /ChoiceStream/gi , /ClearSaleing/gi , /ClickDensity/gi , /Clickability/gi , /Clicksor/gi , /Clicktale/gi , /Clicky/gi , /CognitiveMatch/gi , /Collarity/gi , /CollectiveMedia/gi , /Comscore Beacon/gi , /Connextra/gi , /ContextWeb/gi , /CoreMetrics/gi , /CrazyEgg/gi , /Criteo/gi , /Cross PixelMedia/gi , /CrowdScience/gi , /DC Storm/gi , /Dapper/gi , /DedicatedMedia/gi , /Demandbase/gi , /Demdex/gi , /DeveloperMedia/gi , /Didit/gi , /DiggWidget/gi , /DiggThis/gi , /Disqus/gi , /Dotomi/gi , /DoubleVerify/gi , /Doubleclick/gi , /DynamicLogic/gi , /EffectiveMeasure/gi , /Eloqua/gi , /Ensighten/gi , /EpicMarketplace/gi , /Etology/gi , /Evidon/gi , /Exponential/gi , /EyeWonder/gi , /Facebook Beacon/gi , /FacebookConnect/gi , /FederatedMedia/gi , /Feedjit/gi , /FetchBack/gi , /Flashtalking/gi , /ForeseeResults/gi , /FoxAudienceNetwork/gi , /FreeWheel/gi , /GetSatisfaction/gi , /Gigya/gi , /GlamMedia/gi , /Gomez/gi , /GoogleAdsense/gi , /GoogleAdwordsConversion/gi , /GoogleAnalytics/gi , /GoogleFriendConnect/gi , /GoogleWebsiteOptimizer/gi , /GoogleWidgets/gi , /Gravatar/gi , /Gravity/gi , /Hellobar/gi , /HitTail/gi , /Hurra/gi , /InfoLinks/gi , /Inkfrog/gi , /InsightExpress/gi , /InterClick/gi , /InviteMedia/gi , /Iovation/gi , /KissMetrics/gi , /KonteraContentLink/gi , /KruxDigital/gi , /LeadLander/gi , /Leadformix/gi , /Leadsius/gi , /LifeStreet Media/gi , /Lijit/gi , /LinkedIn/gi , /Linkshare/gi , /LiveInternet/gi , /LivePerson/gi , /Lotame/gi , /LucidMedia/gi , /LyrisClicktracks/gi , /MAGNETIC/gi , /MSNAds/gi , /MarinSoftware/gi , /MarketGID/gi , /Marketo/gi , /MaxPointInteractive/gi , /Maxymizer/gi , /MediaInnovationGroup/gi , /Media6Degrees/gi , /MediaMath/gi , /MediaMind/gi , /MediaPlex/gi , /Meebo/gi , /Mercent/gi , /Meteor/gi , /MicrosoftAnalytics/gi , /MicrosoftAtlas/gi , /MindsetMedia/gi , /Mint/gi , /Mixpanel/gi , /Monetate/gi , /MyBlogLog/gi , /NDN/gi , /Navegg/gi , /NetMining/gi , /NetShelter/gi , /NetratingsSiteCensus/gi , /NewRelic/gi , /NewsRight/gi , /NextAction/gi , /Nuggad/gi , /Omniture/gi , /OpenAds/gi , /OpenX/gi , /Optimizely/gi , /Optimost/gi , /OutBrain/gi , /OwnerIQ/gi , /PO.ST/gi , /Parse.ly/gi , /Piwik/gi , /PointRoll/gi , /PostRank/gi , /Pubmatic/gi , /Qualaroo/gi , /Quantcast/gi , /QuigoAdsonar/gi , /RadiumOne/gi , /RapLeaf/gi , /RealMedia/gi , /Reinvigorate/gi , /Relestar/gi , /RevenueScience/gi , /RevenueMantra/gi , /RightMedia/gi , /RocketFuel/gi , /Rubicon/gi , /RubiconProject/gi , /SafeCount/gi , /Salesforce/gi , /ShareThis/gi , /SiteMeter/gi , /SiteScout/gi , /SkimLinks/gi , /Smart Adserver/gi , /Snaps/gi , /Snoobi/gi , /Specific Meida/gi , /SpecificClick/gi , /Sphere/gi , /StatCounter/gi , /TARGUSinfoAdAdvisor/gi , /Taboola/gi , /Tacoda/gi , /TeaLeaf/gi , /Tealium/gi , /Technorati/gi , /TechnoratiMedia/gi , /Tellapart/gi , /Teracent/gi , /TestandTarget/gi , /TidalTV/gi , /TorbitInsight/gi , /TradeDoubler/gi , /TravelAdvertising/gi , /TremorVideo/gi ,
|
||
|
var flag=0, src1, dalert2="", srcc1;
|
||
|
al2+=reqq;
|
||
|
srcc1=src.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
if((host1.match(srcc1) === null && src.match(host1) === null) && al2.match(srcc1) ===null){
|
||
|
for(var m=0;m<whitelist.length;m++)
|
||
|
{
|
||
|
if(srcc1.match(whitelist[m]) !== null){
|
||
|
flag=1;
|
||
|
return;
|
||
|
}
|
||
|
}
|
||
|
if(flag===0 && !al2){
|
||
|
dalert2 += "\n"+srcc1;
|
||
|
alert2.push("\n"+srcc1);
|
||
|
reqq.push("<b>JS:Hidden Iframe<br>URL(s)::</b><br>==>"+src);
|
||
|
|
||
|
}
|
||
|
else if(flag===0 && al2 && al2.match(srcc1) === null){
|
||
|
alert2.push("\n"+srcc1);
|
||
|
reqq.push("<br>==>"+src);
|
||
|
dalert2 += "\n"+srcc1;
|
||
|
}
|
||
|
sessionStorage.setItem("alertif1", dalert2);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
shellp1=shellp;
|
||
|
docWrite1=docWrite;
|
||
|
re1=re;
|
||
|
req1=req;
|
||
|
reqq1=reqq;
|
||
|
alertt2=alert2;
|
||
|
alertt3=alert3;
|
||
|
}
|
||
|
|
||
|
|
||
|
/*
|
||
|
* Analyzing the content of document.createElement function
|
||
|
* @param {type} elem : Properties of tags present in the contents
|
||
|
* @param {type} tagName : Name of the tag present in the contents
|
||
|
* @param {type} timerIntVar
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
function getScriptAttributes (elem, tagName, timerIntVar)
|
||
|
{
|
||
|
var host1=document.location.hostname;
|
||
|
/*--- Because the tags won't be set for some while, we need
|
||
|
to poll for when they are added.
|
||
|
---Tracking the attributes which can redirect to malcious web page---*/
|
||
|
if (elem.src && elem.src !== "/blank.html" && elem.src !=="about:blank")
|
||
|
{
|
||
|
|
||
|
doneWaiting ();
|
||
|
var flag1=0, src2, srcc1, srcc, patt2=/.js/g ;
|
||
|
var TLDS = new Array(/com/gi, /net/gi, /in/gi);
|
||
|
var myvar = elem.src;
|
||
|
srcc1=myvar.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
|
||
|
var parts = srcc1.split('.');
|
||
|
srcc = parts.slice(-1).join('.');
|
||
|
/* for(var m=0;m<TLDS.length;m++)
|
||
|
{
|
||
|
if(srcc.match(TLDS[m]) !== null){
|
||
|
flag1=1;
|
||
|
}
|
||
|
}*/ // anyway cross verifying with gsb
|
||
|
|
||
|
if(tagName === "iframe")
|
||
|
{
|
||
|
var x,y,src,ext;
|
||
|
x=elem.height; // height
|
||
|
y=elem.width; // width
|
||
|
stylh=elem.style.height; //style
|
||
|
stylw=elem.style.width;
|
||
|
styll=elem.style.left; //style
|
||
|
stylr=elem.style.right;
|
||
|
stylt=elem.style.top; //style
|
||
|
stylb=elem.style.bottom;
|
||
|
stylv=elem.style.visibility;
|
||
|
styld=elem.style.display;
|
||
|
src=elem.src;
|
||
|
if(x || y || stylh || stylw || stylv || styld)
|
||
|
{
|
||
|
if(x)
|
||
|
{
|
||
|
if(x.match(/px/gi))
|
||
|
{
|
||
|
var ext = x.substring(0, x.length-2);
|
||
|
if(ext < 3)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
else if(x<3)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
if(y)
|
||
|
{
|
||
|
if(y.match(/px/gi))
|
||
|
{
|
||
|
var ext = y.substring(0, y.length-2);
|
||
|
if(ext < 3)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
else if(y<3)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
if(stylh)
|
||
|
{
|
||
|
if(stylh.match(/px/gi))
|
||
|
{
|
||
|
var ext = stylh.substring(0, stylh.length-2);
|
||
|
if(ext < 3)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
else if(stylh<3)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
if(stylw)
|
||
|
{
|
||
|
if(stylw.match(/px/gi))
|
||
|
{
|
||
|
var ext = stylw.substring(0, stylw.length-2);
|
||
|
if(ext < 3)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
else if(stylw<3)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
if(stylv)
|
||
|
{
|
||
|
if(stylv.match(/hidden/gi))
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
|
||
|
}
|
||
|
if(styld)
|
||
|
{
|
||
|
if(styld.match(/none/gi))
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
if(styll || stylr || stylt || stylb)
|
||
|
{
|
||
|
if(styll){
|
||
|
var ext = styll.substring(0, styll.length-2);
|
||
|
if(ext < -99)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
if(stylr){
|
||
|
var ext = stylr.substring(0, stylr.length-2);
|
||
|
if(ext < -99)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
if(stylt){
|
||
|
var ext = stylt.substring(0, stylt.length-2);
|
||
|
if(ext < -99)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
if(stylb){
|
||
|
var ext = stylb.substring(0, stylb.length-2);
|
||
|
if(ext < -99)
|
||
|
{
|
||
|
domainmatch1(src);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
} //iframe
|
||
|
else if(elem.src.match(host1) === null && host1.match(srcc1) === null && flag1 === 0 && !re.length){
|
||
|
var myvar = elem.src,ttalert1="";
|
||
|
var s1=myvar.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
|
||
|
if(elem.src.match(patt2) !== null){
|
||
|
|
||
|
if(elem.src.match("\\.js.php")!==null || elem.src.match("\\.php.js")!==null || elem.src.match("jquery.min.php")!==null){
|
||
|
src2='Evil URL(s) ::: '+elem.src;
|
||
|
ttalert1 += "\n"+elem.src;
|
||
|
re.push('Threat:: Malicious JS Redirector<br>'+src2);
|
||
|
req.push('<b>Malicious JS Redirector</b><br>'+src2);
|
||
|
}
|
||
|
}
|
||
|
//checking for non js(php/asp) pattern
|
||
|
else {
|
||
|
if(elem.src.match("\\.php")!==null ){//console.log("dcs: "+s1);
|
||
|
src2='Evil URL is ::: '+s1;
|
||
|
ttalert1 += "\n"+elem.src;
|
||
|
re.push('Threat:: Malicious JS Redirector<br>'+src2);
|
||
|
req.push('<b>Malicious JS Redirector</b><br>'+src2);
|
||
|
}
|
||
|
}
|
||
|
sessionStorage.setItem("alertsc2", JSON.stringify(ttalert1));
|
||
|
}
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
if ( ! timerIntVar) //Setting the time interval to wait for the tags untill they are well-set
|
||
|
{
|
||
|
var timerIntVar = setInterval
|
||
|
(
|
||
|
function ()
|
||
|
{
|
||
|
getScriptAttributes (elem, tagName,timerIntVar);
|
||
|
},
|
||
|
50
|
||
|
);
|
||
|
}
|
||
|
}
|
||
|
function doneWaiting () //clear the time interval when the tags are set
|
||
|
{
|
||
|
if (timerIntVar)
|
||
|
{
|
||
|
clearInterval (timerIntVar);
|
||
|
}
|
||
|
}
|
||
|
function domainmatch1(src){
|
||
|
//whitelist, 3rd party advertising sites and tracking sites
|
||
|
var dots=src.match(/\./g);
|
||
|
if(src === null || !dots){
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
var whitelist = new Array (/about:blank/gi,/blank.html/gi,/wp/gi,/*/google/gi,*//facebook/gi ,/youtube/gi ,/quantserve/gi ,/vizury/gi , /Media/gi , /33across/gi , /AOLAdvertising/gi , /AWeber/gi , /Acerno/gi , /AcxiomRelevance-X/gi , /AdLegend/gi , /AdMeld/gi , /AdNexus/gi , /AdSafe/gi , /AdShuffle/gi , /AdTech/gi , /Adap.TV/gi , /AdaptiveBlueSmartlinks/gi , /AdaraMedia/gi , /Adblade/gi , /Adbrite/gi , /Adcentric/gi , /Adconion/gi , /AddThis/gi , /AddToAny/gi , /Adify/gi , /Adition/gi , /Adjuggler/gi , /AdnetInteractive/gi , /Adnetik/gi , /Adreactor/gi , /Adrolays/gi , /Adroll/gi , /Advertise.com/gi , /Advertising.com/gi , /Adxpose/gi , /Adzerk/gi ,/affinity/gi , /AggregateKnowledge/gi , /AlexaMetrics/gi , /AlmondNet/gi , /Aperture/gi , /BTBuckets/gi , /Baynote/gi , /Bing/gi , /Bizo/gi , /BlogRollr/gi , /Blogads/gi , /BlueKai/gi , /BlueLithium/gi , /BrandReach/gi , /BrightTag/gi , /Brightcove/gi , /Brightroll/gi , /Brilig/gi , /BurstMedia/gi , /BuySellAds/gi , /CNETTracking/gi , /CPXInteractive/gi , /CasaleMedia/gi , /CedexisRadar/gi , /CertonaResonance/gi , /Chango/gi , /ChannelAdvisor/gi , /ChartBeat/gi , /Checkm8/gi , /Chitika/gi , /ChoiceStream/gi , /ClearSaleing/gi , /ClickDensity/gi , /Clickability/gi , /Clicksor/gi , /Clicktale/gi , /Clicky/gi , /CognitiveMatch/gi , /Collarity/gi , /CollectiveMedia/gi , /Comscore Beacon/gi , /Connextra/gi , /ContextWeb/gi , /CoreMetrics/gi , /CrazyEgg/gi , /Criteo/gi , /Cross PixelMedia/gi , /CrowdScience/gi , /DC Storm/gi , /Dapper/gi , /DedicatedMedia/gi , /Demandbase/gi , /Demdex/gi , /DeveloperMedia/gi , /Didit/gi , /DiggWidget/gi , /DiggThis/gi , /Disqus/gi , /Dotomi/gi , /DoubleVerify/gi , /Doubleclick/gi , /DynamicLogic/gi , /EffectiveMeasure/gi , /Eloqua/gi , /Ensighten/gi , /EpicMarketplace/gi , /Etology/gi , /Evidon/gi , /Exponential/gi , /EyeWonder/gi , /Facebook Beacon/gi , /FacebookConnect/gi , /FederatedMedia/gi , /Feedjit/gi , /FetchBack/gi , /Flashtalking/gi , /ForeseeResults/gi , /FoxAudienceNetwork/gi , /FreeWheel/gi , /GetSatisfaction/gi , /Gigya/gi , /GlamMedia/gi , /Gomez/gi , /GoogleAdsense/gi , /GoogleAdwordsConversion/gi , /GoogleAnalytics/gi , /GoogleFriendConnect/gi , /GoogleWebsiteOptimizer/gi , /GoogleWidgets/gi , /Gravatar/gi , /Gravity/gi , /Hellobar/gi , /HitTail/gi , /Hurra/gi , /InfoLinks/gi , /Inkfrog/gi , /InsightExpress/gi , /InterClick/gi , /InviteMedia/gi , /Iovation/gi , /KissMetrics/gi , /KonteraContentLink/gi , /KruxDigital/gi , /LeadLander/gi , /Leadformix/gi , /Leadsius/gi , /LifeStreet Media/gi , /Lijit/gi , /LinkedIn/gi , /Linkshare/gi , /LiveInternet/gi , /LivePerson/gi , /Lotame/gi , /LucidMedia/gi , /LyrisClicktracks/gi , /MAGNETIC/gi , /MSNAds/gi , /MarinSoftware/gi , /MarketGID/gi , /Marketo/gi , /MaxPointInteractive/gi , /Maxymizer/gi , /MediaInnovationGroup/gi , /Media6Degrees/gi , /MediaMath/gi , /MediaMind/gi , /MediaPlex/gi , /Meebo/gi , /Mercent/gi , /Meteor/gi , /MicrosoftAnalytics/gi , /MicrosoftAtlas/gi , /MindsetMedia/gi , /Mint/gi , /Mixpanel/gi , /Monetate/gi , /MyBlogLog/gi , /NDN/gi , /Navegg/gi , /NetMining/gi , /NetShelter/gi , /NetratingsSiteCensus/gi , /NewRelic/gi , /NewsRight/gi , /NextAction/gi , /Nuggad/gi , /Omniture/gi , /OpenAds/gi , /OpenX/gi , /Optimizely/gi , /Optimost/gi , /OutBrain/gi , /OwnerIQ/gi , /PO.ST/gi , /Parse.ly/gi , /Piwik/gi , /PointRoll/gi , /PostRank/gi , /Pubmatic/gi , /Qualaroo/gi , /Quantcast/gi , /QuigoAdsonar/gi , /RadiumOne/gi , /RapLeaf/gi , /RealMedia/gi , /Reinvigorate/gi , /Relestar/gi , /RevenueScience/gi , /RevenueMantra/gi , /RightMedia/gi , /RocketFuel/gi , /Rubicon/gi , /RubiconProject/gi , /SafeCount/gi , /Salesforce/gi , /ShareThis/gi , /SiteMeter/gi , /SiteScout/gi , /SkimLinks/gi , /Smart Adserver/gi , /Snaps/gi , /Snoobi/gi , /Specific Meida/gi , /SpecificClick/gi , /Sphere/gi , /StatCounter/gi , /TARGUSinfoAdAdvisor/gi , /Taboola/gi , /Tacoda/gi , /TeaLeaf/gi , /Tealium/gi , /Technorati/gi , /TechnoratiMedia/gi , /Tellapart/gi , /Teracent/gi , /TestandTarget/gi , /TidalTV/gi , /TorbitInsight/gi , /TradeDoubler/gi , /TravelAdvertising/gi , /TremorVideo/gi
|
||
|
var flag=0, ddalert2="",srcc1;
|
||
|
al2+=reqq;
|
||
|
srcc1=src.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
if((host1.match(srcc1) === null && src.match(host1) === null) && al2.match(srcc1) ===null){
|
||
|
|
||
|
for(var m=0;m<whitelist.length;m++)
|
||
|
{
|
||
|
if(srcc1.match(whitelist[m]) !== null){//alert("alert");
|
||
|
flag=1;
|
||
|
return;
|
||
|
}
|
||
|
}
|
||
|
if(flag===0 && !al2){
|
||
|
alert2.push("\n"+srcc1);
|
||
|
ddalert2 += "\n"+srcc1;
|
||
|
reqq.push("<b>JS:Hidden Iframe<br>URL(s)::</b><br>==>"+src);
|
||
|
}
|
||
|
else if(flag===0 && al2 && al2.match(srcc1) === null){
|
||
|
alert2.push("\n"+srcc1);
|
||
|
ddalert2 += "\n"+srcc1;
|
||
|
reqq.push("<br>==>"+src);
|
||
|
}
|
||
|
sessionStorage.setItem("alertif2",ddalert2);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
//---Injecting the above methods to the web page
|
||
|
addJS_Node (getScriptAttributes.toString());
|
||
|
//---Injecting the above method to the web page
|
||
|
addJS_Node (null, null, LogDocCreateElement);
|
||
|
//--- Handy injection function.
|
||
|
function addJS_Node (text, s_URL, funcToRun) {
|
||
|
/*--- This function is for injecting the desired functionality in the web page by creating a script tag */
|
||
|
var D = window.document;
|
||
|
var scriptNode = D.createElement ('script');
|
||
|
scriptNode.type = "text/javascript";
|
||
|
if (text){ scriptNode.textContent = text;}
|
||
|
if (s_URL){ scriptNode.src = s_URL;}
|
||
|
if (funcToRun) scriptNode.textContent = '(' + funcToRun.toString() + ')()';
|
||
|
var targ = D.getElementsByTagName ('head')[0] || D.body || D.documentElement;
|
||
|
targ.appendChild (scriptNode);
|
||
|
targ.removeChild (scriptNode);
|
||
|
}
|
||
|
/* when the page is loaded Send emit all the parameters to addon sciript */
|
||
|
$(document).ready(function(){
|
||
|
|
||
|
|
||
|
|
||
|
/* adding css to alert */
|
||
|
|
||
|
var css =' #cdac_container { font-family: Arial, sans-serif !important; font-size: 12px !important; min-width: 300px !important;max-width: 600px !important; text-align: inherit !important; background: #e8f9ff !important; border: solid 5px #B40404 !important; color: #000 !important; -webkit-border-radius: 5px !important; border-radius: 5px !important;} #cdac_title { display: inherit !important; font-family: inherit !important; font-size: 14px !important; font-weight: bold !important; text-align: left !important; line-height: 1.75em !important; color: #FFF !important; text-shadow: inherit !important; height:inherit !important; width:inherit !important; position:static !important; background: #B40404 repeat-x center top !important; border: solid 1px #B40404 !important; border-bottom: solid 1px #B40404 !important; cursor: default !important; padding: 0em !important; margin: 0em !important; float: none !important; } .cdac_inputred { background: none !important; background-color:#E6E6E6 !important; color:#DF3A01 !important; font-weight: bold;} .cdac_inputgreen { background: none !important; background-color: #E6E6E6 !important; color:#298A08 !important; font-weight: bold;} #cdac_content { padding: 1em 1.75em !important; margin: 0em !important; } #cdac_message { padding-left: 48px !important; color: #000 !important; } #cdac_panel { text-align: center !important; margin: 1em 0em 0em 1em !important; } #cdac_prompt { margin: .5em 0em !important; }#cdac_content.confirm { background:16px 16px no-repeat url(cdac18.png) !important;}',
|
||
|
|
||
|
|
||
|
head = document.getElementsByTagName('head')[0],
|
||
|
style = document.createElement('style');
|
||
|
|
||
|
style.type = 'text/css';
|
||
|
if (style.styleSheet){
|
||
|
style.styleSheet.cssText = css;
|
||
|
} else {
|
||
|
style.appendChild(document.createTextNode(css));
|
||
|
}
|
||
|
|
||
|
head.appendChild(style);
|
||
|
|
||
|
var i,ev="",res="",reqs="";var docW="";var reqqs="";var shellps="";var alertts="",encodes="",Head="CDAC's Browser JSGuard Warning";
|
||
|
|
||
|
|
||
|
if (typeof window.re1 != 'undefined') {
|
||
|
//console.log("window.re1 success");
|
||
|
if( window.re1.length>0)
|
||
|
{
|
||
|
for(i=0;i< window.re1.length;i++)
|
||
|
{
|
||
|
res+= window.re1[i]+"<br>";
|
||
|
|
||
|
}
|
||
|
score_req=1;
|
||
|
}
|
||
|
|
||
|
if( window.req1.length>0)
|
||
|
{
|
||
|
for(i=0;i< window.req1.length;i++)
|
||
|
{
|
||
|
reqs+= window.req1[i]+"<br>";
|
||
|
}
|
||
|
score_req=1;
|
||
|
}
|
||
|
|
||
|
if( window.reqq1.length>0)
|
||
|
{
|
||
|
for(i=0;i< window.reqq1.length;i++)
|
||
|
{
|
||
|
reqqs+= window.reqq1[i]+"<br>";
|
||
|
}
|
||
|
score_ifd=1;
|
||
|
}
|
||
|
|
||
|
|
||
|
if( window.alertt2.length>0)
|
||
|
{
|
||
|
for(i=0;i< window.alertt2.length;i++)
|
||
|
{
|
||
|
//alertts+= alertt2[i]+"<br>";
|
||
|
alertts+= window.alertt2[i];
|
||
|
}
|
||
|
score_ifd=1;
|
||
|
}
|
||
|
if( window.alertt3.length>0)
|
||
|
{
|
||
|
for(i=0;i< window.alertt3.length;i++)
|
||
|
{
|
||
|
encodes+= window.alertt3[i]+"<br>";
|
||
|
|
||
|
}
|
||
|
score_ifd=1;
|
||
|
}
|
||
|
|
||
|
if( window.docWrite1.length>0)
|
||
|
{
|
||
|
for(i=0;i< window.docWrite1.length;i++)
|
||
|
{
|
||
|
docW+= window.docWrite1[i]+"<br>";
|
||
|
}
|
||
|
score_w=1;
|
||
|
}
|
||
|
|
||
|
if( window.shellp1.length>0)
|
||
|
{
|
||
|
for(i=0;i< window.shellp1.length;i++)
|
||
|
{
|
||
|
shellps+= window.shellp1[i]+"<br>";
|
||
|
}
|
||
|
score_sh=1;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
|
||
|
else{
|
||
|
|
||
|
|
||
|
if( re1.length>0)
|
||
|
{
|
||
|
for(i=0;i< re1.length;i++)
|
||
|
{
|
||
|
res+= re1[i]+"<br>";
|
||
|
|
||
|
}
|
||
|
score_req=1;
|
||
|
}
|
||
|
|
||
|
if( req1.length>0)
|
||
|
{
|
||
|
for(i=0;i< req1.length;i++)
|
||
|
{
|
||
|
reqs+= req1[i]+"<br>";
|
||
|
}
|
||
|
score_req=1;
|
||
|
}
|
||
|
|
||
|
if( reqq1.length>0)
|
||
|
{
|
||
|
for(i=0;i< reqq1.length;i++)
|
||
|
{
|
||
|
reqqs+= reqq1[i]+"<br>";
|
||
|
}
|
||
|
score_ifd=1;
|
||
|
}
|
||
|
|
||
|
|
||
|
if( alertt2.length>0)
|
||
|
{
|
||
|
for(i=0;i< alertt2.length;i++)
|
||
|
{
|
||
|
//alertts+= alertt2[i]+"<br>";
|
||
|
alertts+= alertt2[i];
|
||
|
}
|
||
|
score_ifd=1;
|
||
|
}
|
||
|
if( alertt3.length>0)
|
||
|
{
|
||
|
for(i=0;i< alertt3.length;i++)
|
||
|
{
|
||
|
encodes+= alertt3[i]+"<br>";
|
||
|
|
||
|
}
|
||
|
score_ifd=1;
|
||
|
}
|
||
|
|
||
|
if( docWrite1.length>0)
|
||
|
{
|
||
|
for(i=0;i< docWrite1.length;i++)
|
||
|
{
|
||
|
docW+= docWrite1[i]+"<br>";
|
||
|
}
|
||
|
score_w=1;
|
||
|
}
|
||
|
|
||
|
if( shellp1.length>0)
|
||
|
{
|
||
|
for(i=0;i< shellp1.length;i++)
|
||
|
{
|
||
|
shellps+= shellp1[i]+"<br>";
|
||
|
}
|
||
|
score_sh=1;
|
||
|
}
|
||
|
}
|
||
|
score=score_ifd+score_ev+score_sh+score_w;
|
||
|
|
||
|
//whitelistgi , 3rd party advertising sites and tracking sites
|
||
|
var whitelist = new Array (/about:blank/gi,/blank.html/gi,/wp/gi,/javascript:/gi,/*/google/gi ,*//facebook/gi ,/youtube/gi ,/quantserve/gi ,/vizury/gi , /Media/gi , /33across/gi , /AOLAdvertising/gi , /AWeber/gi , /Acerno/gi , /AcxiomRelevance-X/gi , /AdLegend/gi , /AdMeld/gi , /AdNexus/gi , /AdSafe/gi , /AdShuffle/gi , /AdTech/gi , /Adap.TV/gi , /AdaptiveBlueSmartlinks/gi , /AdaraMedia/gi , /Adblade/gi , /Adbrite/gi , /Adcentric/gi , /Adconion/gi , /AddThis/gi , /AddToAny/gi , /Adify/gi , /Adition/gi , /Adjuggler/gi , /AdnetInteractive/gi , /Adnetik/gi , /Adreactor/gi , /Adrolays/gi , /Adroll/gi , /Advertise.com/gi , /Advertising.com/gi , /Adxpose/gi , /Adzerk/gi ,/affinity/gi , /AggregateKnowledge/gi , /AlexaMetrics/gi , /AlmondNet/gi , /Aperture/gi , /BTBuckets/gi , /Baynote/gi , /Bing/gi , /Bizo/gi , /BlogRollr/gi , /Blogads/gi , /BlueKai/gi , /BlueLithium/gi , /BrandReach/gi , /BrightTag/gi , /Brightcove/gi , /Brightroll/gi , /Brilig/gi , /BurstMedia/gi , /BuySellAds/gi , /CNETTracking/gi , /CPXInteractive/gi , /CasaleMedia/gi , /CedexisRadar/gi , /CertonaResonance/gi , /Chango/gi , /ChannelAdvisor/gi , /ChartBeat/gi , /Checkm8/gi , /Chitika/gi , /ChoiceStream/gi , /ClearSaleing/gi , /ClickDensity/gi , /Clickability/gi , /Clicksor/gi , /Clicktale/gi , /Clicky/gi , /CognitiveMatch/gi , /Collarity/gi , /CollectiveMedia/gi , /Comscore Beacon/gi , /Connextra/gi , /ContextWeb/gi , /CoreMetrics/gi , /CrazyEgg/gi , /Criteo/gi , /Cross PixelMedia/gi , /CrowdScience/gi , /DC Storm/gi , /Dapper/gi , /DedicatedMedia/gi , /Demandbase/gi , /Demdex/gi , /DeveloperMedia/gi , /Didit/gi , /DiggWidget/gi , /DiggThis/gi , /Disqus/gi , /Dotomi/gi , /DoubleVerify/gi , /Doubleclick/gi , /DynamicLogic/gi , /EffectiveMeasure/gi , /Eloqua/gi , /Ensighten/gi , /EpicMarketplace/gi , /Etology/gi , /Evidon/gi , /Exponential/gi , /EyeWonder/gi , /Facebook Beacon/gi , /FacebookConnect/gi , /FederatedMedia/gi , /Feedjit/gi , /FetchBack/gi , /Flashtalking/gi , /ForeseeResults/gi , /FoxAudienceNetwork/gi , /FreeWheel/gi , /GetSatisfaction/gi , /Gigya/gi , /GlamMedia/gi , /Gomez/gi , /GoogleAdsense/gi , /GoogleAdwordsConversion/gi , /GoogleAnalytics/gi , /GoogleFriendConnect/gi , /GoogleWebsiteOptimizer/gi , /GoogleWidgets/gi , /Gravatar/gi , /Gravity/gi , /Hellobar/gi , /HitTail/gi , /Hurra/gi , /InfoLinks/gi , /Inkfrog/gi , /InsightExpress/gi , /InterClick/gi , /InviteMedia/gi , /Iovation/gi , /KissMetrics/gi , /KonteraContentLink/gi , /KruxDigital/gi , /LeadLander/gi , /Leadformix/gi , /Leadsius/gi , /LifeStreet Media/gi , /Lijit/gi , /LinkedIn/gi , /Linkshare/gi , /LiveInternet/gi , /LivePerson/gi , /Lotame/gi , /LucidMedia/gi , /LyrisClicktracks/gi , /MAGNETIC/gi , /MSNAds/gi , /MarinSoftware/gi , /MarketGID/gi , /Marketo/gi , /MaxPointInteractive/gi , /Maxymizer/gi , /MediaInnovationGroup/gi , /Media6Degrees/gi , /MediaMath/gi , /MediaMind/gi , /MediaPlex/gi , /Meebo/gi , /Mercent/gi , /Meteor/gi , /MicrosoftAnalytics/gi , /MicrosoftAtlas/gi , /MindsetMedia/gi , /Mint/gi , /Mixpanel/gi , /Monetate/gi , /MyBlogLog/gi , /NDN/gi , /Navegg/gi , /NetMining/gi , /NetShelter/gi , /NetratingsSiteCensus/gi , /NewRelic/gi , /NewsRight/gi , /NextAction/gi , /Nuggad/gi , /Omniture/gi , /OpenAds/gi , /OpenX/gi , /Optimizely/gi , /Optimost/gi , /OutBrain/gi , /OwnerIQ/gi , /PO.ST/gi , /Parse.ly/gi , /Piwik/gi , /PointRoll/gi , /PostRank/gi , /Pubmatic/gi , /Qualaroo/gi , /Quantcast/gi , /QuigoAdsonar/gi , /RadiumOne/gi , /RapLeaf/gi , /RealMedia/gi , /Reinvigorate/gi , /Relestar/gi , /RevenueScience/gi , /RevenueMantra/gi , /RightMedia/gi , /RocketFuel/gi , /Rubicon/gi , /RubiconProject/gi , /SafeCount/gi , /Salesforce/gi , /ShareThis/gi , /SiteMeter/gi , /SiteScout/gi , /SkimLinks/gi , /Smart Adserver/gi , /Snaps/gi , /Snoobi/gi , /Specific Meida/gi , /SpecificClick/gi , /Sphere/gi , /StatCounter/gi , /TARGUSinfoAdAdvisor/gi , /Taboola/gi , /Tacoda/gi , /TeaLeaf/gi , /Tealium/gi , /Technorati/gi , /TechnoratiMedia/gi , /Tellapart/gi , /Teracent/gi , /TestandTarget/gi , /TidalTV/gi , /TorbitInsight/gi , /TradeDoubler/gi , /TravelAdvertising/gi , /TremorVid
|
||
|
|
||
|
/*plugin score */
|
||
|
var plugcnt = 0;
|
||
|
|
||
|
/*variables for sending log details to panel widget
|
||
|
* (meta, iframe, unauth red,encoded js, ext domains respectively)
|
||
|
*/
|
||
|
var warns="",warns1="",warns2="",warns3="",Domainreport="";
|
||
|
|
||
|
/* patterns */
|
||
|
var patt=/www/gi, patt1=/http/gi;
|
||
|
var TLDS = new Array(/com/gi, /net/gi, /in/gi);
|
||
|
|
||
|
/*variables for scrptTag function*/
|
||
|
var scrpa="";
|
||
|
|
||
|
/*variables for imgTag function*/
|
||
|
var socpa="";
|
||
|
|
||
|
/*variables for iframeTag function*/
|
||
|
var alert2="", count=0;
|
||
|
|
||
|
/*variables for scriptTag function*/
|
||
|
var alert2sc="", countsc=0;
|
||
|
|
||
|
/*variables for encodeJS function*/
|
||
|
var alert3="",encode1="";
|
||
|
|
||
|
/*variables for UATag function*/
|
||
|
var alert2UA="", countUA=0;
|
||
|
|
||
|
/*other tags like object, meta, anchor and link*/
|
||
|
var plugs="",vulplug="",redirect1="",red1="",redirect2="",red2="";
|
||
|
|
||
|
/*Retreiving domain name from the URL*/
|
||
|
var hostt, host;
|
||
|
hostt = window.location.host;
|
||
|
host = hostt.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
|
||
|
// It holds the tags to be monitored in the incoming web page
|
||
|
var monitorTags = new Array("script","img","area","link","frame","form","embed","applet","meta","object","iframe");
|
||
|
|
||
|
//variables to corresponding tags
|
||
|
var tagsArray = new Array("scrtag", "imgsrc", "are","lin","fra","frm","emb","app","met","obje","ifr");
|
||
|
|
||
|
//attributes of corresponding tags
|
||
|
var attrArray = new Array("src", "src","href","href","src","action","src","codebase","content","classid","src");
|
||
|
|
||
|
for(var i = 0; i<monitorTags.length; i++)
|
||
|
{
|
||
|
if((document.getElementsByTagName(monitorTags[i])).length > 0)
|
||
|
{
|
||
|
switch(i)
|
||
|
{
|
||
|
case 0:scrptTag();
|
||
|
break;
|
||
|
case 1:imgTag();
|
||
|
break;
|
||
|
case 2:
|
||
|
case 3:
|
||
|
case 4:
|
||
|
case 5:
|
||
|
case 6:
|
||
|
case 7:
|
||
|
case 8:
|
||
|
case 9:findhref();
|
||
|
break;
|
||
|
case 10:iframeTag();
|
||
|
break;
|
||
|
|
||
|
default: warns +="no tags"+ "<br>";
|
||
|
|
||
|
}
|
||
|
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/*individual functions of switch */
|
||
|
|
||
|
/* This function monitors the iframe tags in the incoming web page */
|
||
|
function iframeTag()
|
||
|
{
|
||
|
var k,ifrm,widt,hgt,styl,src;
|
||
|
ifrm = document.getElementsByTagName("iframe");
|
||
|
|
||
|
/* Monitoring and checking width, height and style properties of every iframe*/
|
||
|
for(k=0;k<ifrm.length;k++)
|
||
|
{
|
||
|
widt=ifrm[k].getAttribute("width");
|
||
|
hgt=ifrm[k].getAttribute("height");
|
||
|
styl=ifrm[k].getAttribute("style");
|
||
|
src =ifrm[k].getAttribute("src");
|
||
|
if(src===null || src === "/blank.html" || src === "about:blank"){
|
||
|
continue;
|
||
|
}
|
||
|
/*if the height or width of iframe is very small, i.e, lessthan 3 */
|
||
|
if(hgt < 3 && hgt !== null) {
|
||
|
domainmatch(src,ifrm,k);
|
||
|
}
|
||
|
if(widt < 3 && widt !== null){
|
||
|
domainmatch(src,ifrm,k);
|
||
|
}
|
||
|
|
||
|
/* if style property contains height, width or some content and if "src" present */
|
||
|
if(styl){
|
||
|
|
||
|
var str, d=0;
|
||
|
if(styl.match(/;/)) {
|
||
|
var arr_str = styl.split(";");
|
||
|
while(d < arr_str.length){
|
||
|
str = arr_str[d].split(":");
|
||
|
if(str[0] === "height" || str[0] === "width"){
|
||
|
var ext = str[1].substring(0, str[1].length-2);
|
||
|
if(ext < 3){
|
||
|
domainmatch(src,ifrm,k);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
else if(str[0] === "left" || str[0] === "right" || str[0] === "top" || str[0] === "bottom"){
|
||
|
var ext1 = str[1].substring(0, str[1].length-2);
|
||
|
if(ext1 < -99){
|
||
|
domainmatch(src,ifrm,k);
|
||
|
}
|
||
|
}
|
||
|
else if(str[0] === "visibility" || str[0] === "display"){
|
||
|
|
||
|
if(str[1].match(/hidden/gi) || str[1].match(/none/gi)){
|
||
|
domainmatch(src,ifrm,k);
|
||
|
}
|
||
|
}
|
||
|
d++;
|
||
|
}
|
||
|
}
|
||
|
else if(styl.match(/:/))
|
||
|
{
|
||
|
str = styl.split(":");
|
||
|
if(str[0] === "visibility" || str[0] === "display"){
|
||
|
if(str[1].match(/hidden/gi) || str[1].match(/none/gi)){
|
||
|
domainmatch(src,ifrm,k);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/* write code to find domain in src if it iframe not hidden */
|
||
|
if(src)
|
||
|
{
|
||
|
extdomain(src);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Cross verify the source of the hidden iframe property with the host name
|
||
|
* of the original URL and if it does not belongs to the same origin then
|
||
|
* alerts the user
|
||
|
* */
|
||
|
|
||
|
function domainmatch(src,ifrm,k)
|
||
|
{
|
||
|
var flag=0,src1;
|
||
|
src1=src.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
|
||
|
if(alert2.match(src1) === null){
|
||
|
for(var m=0;m<whitelist.length;m++)
|
||
|
{
|
||
|
if(src1.match(whitelist[m]) !== null){
|
||
|
|
||
|
var n=whitelist[m].toString().length;
|
||
|
var temp=whitelist[m].toString().substring(1,n-3);
|
||
|
if(redirect1.match(temp) === null){
|
||
|
redirect1+=whitelist[m].toString().substring(1,n-3)+"<br>";
|
||
|
}
|
||
|
flag=1;
|
||
|
return;
|
||
|
}
|
||
|
}
|
||
|
if(flag===0 && !alert2){
|
||
|
alert2 += "\n"+src1; count++;
|
||
|
warns1 += "<b>HTML:Hidden Iframe</b>"+"<br>"+"<b>URL(s)::</b><br>==>" +src+"<br>";
|
||
|
//ifrm[k].setAttribute("src",null);
|
||
|
}
|
||
|
else if(flag===0 && alert2 && warns1.match(src1) === null){
|
||
|
alert2 += "\n"+src1;count++;
|
||
|
warns1 += "<br>==>"+src+"<br>";
|
||
|
//ifrm[k].setAttribute("src",null);
|
||
|
|
||
|
}
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Monitoring UnAuthorized redirections through image tag
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
function imgTag()
|
||
|
{
|
||
|
var i, k, wid, hig, len, soc, soc1, flag = -1;
|
||
|
/*
|
||
|
* Image formats to be monitored
|
||
|
* @type Array
|
||
|
*/
|
||
|
var format = new Array(/png/gi, /jpg/gi, /gif/gi, /bmp/gi, /jpeg/gi, /Icons/gi, /ico/gi, /amp/gi);
|
||
|
var imgsrc = document.getElementsByTagName("img");
|
||
|
|
||
|
len = imgsrc.length;
|
||
|
for(i=0;i<len;i=i+1)
|
||
|
{
|
||
|
var flag1=0;
|
||
|
soc = imgsrc[i].getAttribute("src");
|
||
|
wid = imgsrc[i].getAttribute("width");
|
||
|
hig = imgsrc[i].getAttribute("height");
|
||
|
|
||
|
if(soc === null ){
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
socpa=getFileName(soc);
|
||
|
soc1=soc.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
var parts = soc1.split('.');
|
||
|
var socc = parts.slice(-1).join('.');
|
||
|
// whitelist TLDS for reduce false positive
|
||
|
/*for(var m=0;m<TLDS.length;m++)
|
||
|
{
|
||
|
if(socc.match(TLDS[m]) !== null){
|
||
|
flag1=1;
|
||
|
}
|
||
|
}*/
|
||
|
//if it is tracker, stop here
|
||
|
for(var m=0;m<whitelist.length;m++)
|
||
|
{
|
||
|
if(soc1.match(whitelist[m]) !== null){
|
||
|
|
||
|
var n=whitelist[m].toString().length;
|
||
|
redirect1+=whitelist[m].toString().substring(1,n-3)+"<br>";
|
||
|
flag=1;
|
||
|
return;
|
||
|
}
|
||
|
}
|
||
|
// if it is same origin or tracker stop here
|
||
|
if(host.match(soc1) !== null || soc.match(host) !== null || flag1 === 1){
|
||
|
continue;
|
||
|
}
|
||
|
for(k=0; k<format.length; ++k)
|
||
|
{
|
||
|
//searching for image extensions, i.e. .jpg.........
|
||
|
if(soc.match(format[k]) !== null) {
|
||
|
if(socpa) {
|
||
|
if(socpa.match(".php\\.")!==null ){
|
||
|
domainmatchUA(soc1);
|
||
|
|
||
|
}
|
||
|
}
|
||
|
|
||
|
flag = 1;
|
||
|
break;
|
||
|
}
|
||
|
}if(flag !== 1) {
|
||
|
|
||
|
if(socpa){
|
||
|
if(socpa.match("\\.php")!==null ){
|
||
|
domainmatchUA(soc1);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
|
||
|
// If the image is hidden, hidden activity will be displayed in the panel
|
||
|
if((wid < 1 && wid !== null)||(hig < 1 && hig !== null))
|
||
|
{
|
||
|
warns2 += "<br><b>Threat::Hidden Image::</b>"+"<br>==>"+soc+"<br>";
|
||
|
}
|
||
|
else {
|
||
|
|
||
|
extdomain(soc);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Monitoring Script tag for detecting UnAuthorized redirections and
|
||
|
* Encoded JavaScript
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
function scrptTag()
|
||
|
{
|
||
|
var len, scr,scr1,scrr, patt2=/.js/g;
|
||
|
var scrpt = document.getElementsByTagName("script");
|
||
|
var totalScript = "";
|
||
|
var enablewordsize=0,enableinddigiden=0;
|
||
|
|
||
|
len = scrpt.length;
|
||
|
for(var i=0;i<len;i++)
|
||
|
{
|
||
|
//encoded js detection
|
||
|
var scriptstring = scrpt[i].innerHTML;
|
||
|
scriptstring = scriptstring.replace(/(\r\n|\n|\r)/gm,""); //convert the innerHTML to one line, easier to match
|
||
|
//scriptstring=scriptstring.replace(/(\/\*([\s\S]*?)\*\/)|(\/\/(.*)$)/gm, ''); //to remove commented javascript // or /* */
|
||
|
scriptstring = scriptstring.replace(/<!--[\s\S]+?-->/g,""); //to remove commented javascript <!-- //-->
|
||
|
scriptstring = scriptstring.replace(/<![CDATA[\s\S]+?]]>/g,""); // //to remove commented javascript <![CDATA //]]>
|
||
|
|
||
|
|
||
|
if(scriptstring.length>250){
|
||
|
/*
|
||
|
* dividing the script string into lines, words and
|
||
|
* then calculating word size
|
||
|
*/
|
||
|
|
||
|
var words;
|
||
|
var lines = scriptstring.split(";");
|
||
|
for(var m = 0; (lines !== null) && (m<lines.length); m++) {
|
||
|
words = lines[m].split(" ");
|
||
|
for(var k = 0; (words !== null) && (k<words.length); k++) {
|
||
|
if(words[k].length > 6500){
|
||
|
enablewordsize++;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// pecentage of digits in each script
|
||
|
var indScriptLength = scriptstring.length;
|
||
|
var indNumLength = scriptstring.replace(/\D/g, '').length;
|
||
|
var inddigitdensity=((indNumLength*100)/indScriptLength);
|
||
|
if(((indNumLength*100)/indScriptLength) >= 30){
|
||
|
enableinddigiden++;
|
||
|
}
|
||
|
|
||
|
/* n-gram for individual script*/
|
||
|
var specialChars = new Array (/%/g,/$/g,/</g,/>/g,/@/g,/!/g,/#/g,/^/g,/&/g,/\*/g,/\(/g,/\)/g,/_/g,/\+/g,/\[/g,/\]/g,/\{/g,/\}/g,/\?/g,/:/g,/;/g,/'/g,/"/g,/,/g,/\./g,/\//g,/~/g,/\`/g,/-/g,/=/g,/\\/g, /u/g, /x/g);
|
||
|
var totalnumbersc=0, encodenumbers=0, encodedanddigitnumbers=0;
|
||
|
for(var n = 0; n < specialChars.length;n++){
|
||
|
if(scriptstring.match(specialChars[n])){
|
||
|
totalnumbersc +=scriptstring.match(specialChars[n]).length;
|
||
|
if(n==0 || n==3 || n== 4 || n == 5 || n == 7 || n==8 || n==10 || n==12 || n==18 || n==19 || n ==22 || n==23 || n==28 || n ==31 || n==32)
|
||
|
{
|
||
|
encodenumbers +=scriptstring.match(specialChars[n]).length;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
encodedanddigitnumbers=(indNumLength) + (encodenumbers);
|
||
|
var indspdensity=(encodedanddigitnumbers*100)/scriptstring.length;
|
||
|
|
||
|
var scriptstringN = scriptstring.replace(/[^a-zA-Z]/g,'');
|
||
|
var scriptstringNN = scriptstring.replace(/\</g,"<"); //for <
|
||
|
var scriptstringNNN = scriptstringNN.replace(/\>/g,">"); //for >
|
||
|
scriptstring = scriptstring.replace(/ /g,"");
|
||
|
|
||
|
/*
|
||
|
* Searching for the functions unescape and fromCharCode in the script string
|
||
|
*/
|
||
|
if((scriptstringN.match(/unescape/g) || scriptstringN.match(/fromCharCode/g) || (scriptstringN.indexOf(/fro/g) < scriptstringN.indexOf(/mCharCode/g) )|| (scriptstringN.indexOf(/fromChar/g) < scriptstringN.indexOf(/Code/g) ) || (scriptstringN.indexOf(/fr/g) < scriptstringN.indexOf(/omCh/g) < scriptstringN.indexOf(/arCode/g) ) || (scriptstringN.indexOf(/fro/g) < scriptstringN.indexOf(/mc/g) < scriptstringN.indexOf(/harCode/g)) || (scriptstringN.indexOf(/fr/g) < scriptstringN.indexOf(/omCh/g) < scriptstringN.indexOf(/arCo/g)< scriptstringN.indexOf(/de/g)) || (scriptstringN.indexOf(/fr/g) < scriptstringN.indexOf(/omC/g) < scriptstringN.indexOf(/ha/g)< scriptstringN.indexOf(/rCode/g))) && !alert3 && indspdensity > 58){
|
||
|
|
||
|
alert3 += "Threat:: Encoded JavaScript Malware";
|
||
|
warns3 += "<b>Threat:: Encoded JavaScript Malware</b>"+"<br>"+"<b>Malicious content is::</b><br>" +scriptstringNNN+"<br>";
|
||
|
}/*
|
||
|
* Searching for suspicious string pattenrs inside unescape function
|
||
|
*/
|
||
|
else if((scriptstringN.match(/unescape/g) && scriptstringN.match(/newArray/g) && scriptstring.match(/%u9090/g)) && !alert3 && indspdensity > 25){
|
||
|
|
||
|
alert3 += "Threat:: Encoded JavaScript Malware";
|
||
|
warns3 += "<b>Threat:: Encoded JavaScript Malware</b>"+"<br>"+"<b>Malicious content is::</b><br>" +scriptstringNNN+"<br>";
|
||
|
}/*
|
||
|
* Searching for hex code starting with var.
|
||
|
* This will be displayed in panel report
|
||
|
*/
|
||
|
else if(scriptstringN.match(/var/g)&& !encode1 && !warns3 && indspdensity > 57){
|
||
|
encode1 += "<b>Threat:: Encoded JavaScript Malware</b>"+"<br>"+"<b>Malicious content is::</b><br> " +scriptstringNNN+"<br>";
|
||
|
}
|
||
|
}
|
||
|
|
||
|
totalScript += scriptstring+" ";
|
||
|
|
||
|
|
||
|
var flag1=0;
|
||
|
scr = scrpt[i].getAttribute("src");
|
||
|
if(scr === null ){
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
scr1=scr.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
|
||
|
var parts = scr1.split('.');
|
||
|
var scrr = parts.slice(-1).join('.');
|
||
|
|
||
|
if(scr.match(patt2) !== null || ( scr.match(patt) !== null || scr.match(patt1) !== null)){
|
||
|
extdomain(scr);
|
||
|
}
|
||
|
// whitelist TLDS for reduce false positive
|
||
|
/*for(var m=0;m<TLDS.length;m++)
|
||
|
{
|
||
|
if(scrr.match(TLDS[m]) !== null){
|
||
|
flag1=1;
|
||
|
}
|
||
|
}*/
|
||
|
if(host.match(scr1)!== null || scr.match(host) !== null )
|
||
|
{
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
scrpa=getFileName(scr);
|
||
|
if(scr.match(patt2) !== null){
|
||
|
if(scrpa){
|
||
|
if(scrpa.match("\\.js.php")!==null || scrpa.match("\\.php.js")!==null ){
|
||
|
domainmatchUA(scr1);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
//checking for non js(php/asp) pattern
|
||
|
else {
|
||
|
if(scrpa){
|
||
|
if(scrpa.match("\\.php")!==null ){
|
||
|
domainmatchUA(scr1);
|
||
|
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
// find extdomains
|
||
|
if(scr.match(patt2) !== null || ( scr.match(patt) !== null || scr.match(patt1) !== null)){
|
||
|
|
||
|
extdomain(scr);
|
||
|
}
|
||
|
|
||
|
} //for loop ends
|
||
|
|
||
|
}
|
||
|
// Matches the UnAuth src property with the host name of the original URL and if it is not from same origin then alerts the user
|
||
|
function domainmatchUA(src)
|
||
|
{
|
||
|
var dots=src.match(/\./g);
|
||
|
if(src === null || !dots )
|
||
|
return;
|
||
|
|
||
|
if(alert2UA.match(src) === null){
|
||
|
if(!alert2UA){
|
||
|
alert2UA += "\n"+src; countUA++;
|
||
|
warns2 += "<b>HTML:Redirector::</b>"+"<br><b>URL(s)::</b><br>==>"+src+"<br>";
|
||
|
}
|
||
|
else if(alert2UA && warns2.match(src) === null){
|
||
|
alert2UA += "\n"+src;countUA++;
|
||
|
//warns2 += "Threat:: HTML:Redirector"+"<br>"+src+"<br>";
|
||
|
warns2 += "<br>==>"+src+"<br>";
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
/*function is_valid_url(url)
|
||
|
{
|
||
|
return url.match(/^(ht|f)tps?:\/\/[a-z0-9-\.]+\.[a-z]{2,4}\/?([^\s<>\#%"\,\{\}\\|\\\^\[\]`]+)?$/);
|
||
|
}*/
|
||
|
|
||
|
function findhref()
|
||
|
{
|
||
|
var conten;
|
||
|
var pattmeta1=/refresh/gi, pattmeta2=/index.php?spl=/g;
|
||
|
tagsArray[i] =document.getElementsByTagName(monitorTags[i]);
|
||
|
|
||
|
var alink=tagsArray[i];
|
||
|
|
||
|
for(var k=0;k<alink.length;k++)
|
||
|
{
|
||
|
var hr=alink[k].getAttribute(attrArray[i]);
|
||
|
if(hr){ //error checking
|
||
|
// display meta content
|
||
|
if(i=== 8)
|
||
|
{
|
||
|
// code to stop meta redirection == bad idea in some cases
|
||
|
/*
|
||
|
var i, refAttr;
|
||
|
var metaTags = document.getElementsByTagName('meta');
|
||
|
for i in metaTags {
|
||
|
if( (refAttr = metaTags[i].getAttribute("http-equiv")) && (refAttr == 'refresh') ) {
|
||
|
metaTags[i].parentNode.removeChild(metaTags[i]);
|
||
|
}
|
||
|
}
|
||
|
// report +="meta contains: "+hr+"\n";
|
||
|
*/
|
||
|
var str;
|
||
|
|
||
|
var refres=alink[k].getAttribute("http-equiv");
|
||
|
|
||
|
// if meta contains refersh attribute
|
||
|
if(refres && refres.match(pattmeta1)!==null){
|
||
|
//comparing content with known malicious patterns of meta content
|
||
|
conten=alink[k].getAttribute("content");
|
||
|
if(conten){
|
||
|
if(conten.match(pattmeta2)!==null){
|
||
|
warns +="meta redirected to known malicious contents<br>";
|
||
|
}
|
||
|
else{
|
||
|
// only url part
|
||
|
str = conten.split(";");
|
||
|
if(str[1] !== undefined && str[1].match(/url/gi) !== null){
|
||
|
var src=str[1].replace('url=','');
|
||
|
extdomain(src);
|
||
|
warns+="in meta tag after "+str[0]+" seconds,it will redirect to "+src+"<br>";
|
||
|
redirect2+="meta tag redirection to: "+src+"<br>";
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
continue;
|
||
|
}
|
||
|
/*
|
||
|
* Searching for the plugins inside the webpage and
|
||
|
* detecting vulnerable plugins through object ID
|
||
|
*/
|
||
|
if(i===9)
|
||
|
{
|
||
|
plugcnt++;
|
||
|
/* for(var m=0;m<clsidlist.length;m++)
|
||
|
{
|
||
|
if(hr.match(clsidlist[m])!==null){
|
||
|
warns+="vulnerable plugin<br>";
|
||
|
vulplug+="Threat:vulnerable plugin invoked<br><br>";
|
||
|
}
|
||
|
}
|
||
|
*/
|
||
|
}
|
||
|
/*
|
||
|
* Collecting all the external domains from various tags
|
||
|
*/
|
||
|
if(hr.match(patt) !== null || hr.match(patt1) !== null)
|
||
|
{
|
||
|
extdomain(hr);
|
||
|
}
|
||
|
}// if hr
|
||
|
}//for
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* This function gathers all the cross domain URLs coming through various
|
||
|
* vulnerable tags and filtering duplicate URLs and Same domain URLs
|
||
|
* @param {type} src : URL is the argument
|
||
|
* @returns {undefined}
|
||
|
*/
|
||
|
function extdomain(src)
|
||
|
{
|
||
|
try{
|
||
|
var src1;
|
||
|
src1=src.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
|
||
|
var dots=src1.match(/\./g);
|
||
|
if((host.match(src1) === null && src1.match(host) === null) && Domainreport.match(src1)===null && dots){
|
||
|
alert2sc += "\n"+src1; countsc++;
|
||
|
Domainreport +="==>"+src1+"<br>";
|
||
|
//isTracker(src1);
|
||
|
for(var m=0;m<whitelist.length;m++)
|
||
|
{
|
||
|
if(src1.match(whitelist[m]) !== null){
|
||
|
|
||
|
var n=whitelist[m].toString().length;
|
||
|
var temp=whitelist[m].toString().substring(1,n-3);
|
||
|
if(redirect1.match(temp) === null){
|
||
|
redirect1+=whitelist[m].toString().substring(1,n-3)+"<br>";
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
|
||
|
}
|
||
|
}
|
||
|
catch(e){
|
||
|
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Retreiving the resource name from the URL
|
||
|
* @param {type} path : URL including Resource name
|
||
|
* @returns {unresolved} : Returns Resource Name
|
||
|
*/
|
||
|
function getFileName(path)
|
||
|
{
|
||
|
if(path.match(/^((http[s]?|ftp):\/)?\/?([^:\/\s]+)(:([^\/]*))?((\/[\w/-]+)*\/)([\w\-\.]+[^#?\s]+)(\?([^#]*))?(#(.*))?$/i))
|
||
|
{
|
||
|
return path.match(/^((http[s]?|ftp):\/)?\/?([^:\/\s]+)(:([^\/]*))?((\/[\w/-]+)*\/)([\w\-\.]+[^#?\s]+)(\?([^#]*))?(#(.*))?$/i)[8];
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Filling the default values for Reporting in Panel
|
||
|
*/
|
||
|
if(plugcnt){
|
||
|
plugs +=plugcnt+" plugins loaded in this webpage<br>";
|
||
|
if(vulplug){
|
||
|
plugs +=vulplug+"<br>";
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Displaying trackers and Static Redirections in Report
|
||
|
*/
|
||
|
if(redirect1){
|
||
|
red1="Tracker(s) found:<br>"+redirect1;
|
||
|
}
|
||
|
if(redirect2){
|
||
|
red2="Static html redirections:<br>"+redirect2;
|
||
|
}
|
||
|
|
||
|
|
||
|
// code for adding dynamic iframes + static iframes
|
||
|
var ifrd1= "",ifrd2="";
|
||
|
ifrd1=sessionStorage.getItem("alertif1");
|
||
|
//ifrd1=JSON.parse(ifrd1);
|
||
|
ifrd2=sessionStorage.getItem("alertif2");
|
||
|
//ifrd2=JSON.parse(ifrd2);
|
||
|
|
||
|
if(ifrd1){
|
||
|
alertts=ifrd1;
|
||
|
}
|
||
|
if(ifrd2){
|
||
|
alertts=ifrd2;
|
||
|
}
|
||
|
if(ifrd1 && ifrd2){
|
||
|
alertts=ifrd1 + ifrd2;
|
||
|
}
|
||
|
|
||
|
//console.log("rcvd dynifr through session storage:",alertts);
|
||
|
var lines = alertts.split("\n");
|
||
|
var newlines=(lines.length)-1;
|
||
|
var count_if=0, alert_if;
|
||
|
if(alertts != alert2){
|
||
|
count_if = newlines + count;
|
||
|
alert_if = alertts + alert2;
|
||
|
}
|
||
|
else{
|
||
|
count_if = count;
|
||
|
alert_if = alert2;
|
||
|
}
|
||
|
|
||
|
var scd1= "",scdd1="",scd2="",scdd2="",ress="";
|
||
|
scd1=sessionStorage.getItem("alertsc1");
|
||
|
scdd1=JSON.parse(scd1);
|
||
|
scd2=sessionStorage.getItem("alertsc2");
|
||
|
scdd2=JSON.parse(scd2);
|
||
|
if(scdd1){
|
||
|
ress=scdd1;
|
||
|
}
|
||
|
if(scdd2){
|
||
|
ress=scdd2;
|
||
|
}
|
||
|
if(scdd1 && scdd2){
|
||
|
ress=scdd1+scdd2;
|
||
|
}
|
||
|
|
||
|
|
||
|
// code for adding dynamic scripts + static scripts
|
||
|
var lines1 = ress.split("\n");
|
||
|
var newlines1=(lines1.length)-1;
|
||
|
var count_sc=0, alert_sc="";
|
||
|
if(alert2UA != ress){
|
||
|
count_sc=newlines1+countUA;
|
||
|
alert_sc=ress+alert2UA;
|
||
|
}
|
||
|
else{
|
||
|
count_sc = countUA;
|
||
|
alert_sc = alert2UA;
|
||
|
}
|
||
|
|
||
|
var s2="", s1="";
|
||
|
var HostProto=proto+"//"+host;
|
||
|
|
||
|
|
||
|
//framework.extension.fireEvent('HI', { data: {someData:HostProto, highlitedText:'CNN'}}); //hostname
|
||
|
|
||
|
var urlPort = browser.runtime.connect({name:"urlport-from-cs"});
|
||
|
var popupPort = browser.runtime.connect({name:"popupport-from-cs"});
|
||
|
|
||
|
urlPort.postMessage({"url": HostProto,"fullurl":fullurl});
|
||
|
|
||
|
//bl status rcvd
|
||
|
var flag=0, blstatus="", Head="CDAC's Browser JSGuard Warning";
|
||
|
|
||
|
var blstatus_if="";
|
||
|
var blstatus_sc="";
|
||
|
|
||
|
|
||
|
//again common
|
||
|
var gsbreq=count_if+alert_if;
|
||
|
if(count_if){
|
||
|
|
||
|
s2='Threat:: Hidden Iframe<br>Evil URL(s) are :::'+alert_if+"<br>";
|
||
|
|
||
|
|
||
|
}
|
||
|
|
||
|
var gsbreq1=count_sc+alert_sc;
|
||
|
if(count_sc){
|
||
|
|
||
|
|
||
|
s1='Threat:: UnAuthorized Redirection<br>Evil URL(s) are :::'+alert_sc+"<br>";
|
||
|
|
||
|
|
||
|
|
||
|
}
|
||
|
|
||
|
var frameEl = window.frameElement;
|
||
|
|
||
|
var ps = localStorage.getItem(0);
|
||
|
console.log("");
|
||
|
if(ps == null || ps.match(HostProto) == null){ //iniatiall null and host diffrenet so block
|
||
|
if(alert_if || alert3 || alert_sc)
|
||
|
{
|
||
|
if(alert_if && frameEl === null){
|
||
|
|
||
|
|
||
|
|
||
|
//gsbreq="1\nhttp://malware.testing.google.test/testing/malware/";
|
||
|
|
||
|
var xhr = new XMLHttpRequest();
|
||
|
xhr.open('POST', 'https://sb-ssl.google.com/safebrowsing/api/lookup?client=firefox&apikey=ABQIAAAAxhNVFd2Bkr2PLooc8AycwBRHPfqIBBZIjrF8eFFZCSSGcCk3eg&appver=1.5.2&pver=3.0', true);
|
||
|
|
||
|
//Send the proper header information along with the request
|
||
|
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
|
||
|
|
||
|
xhr.onreadystatechange = function() {//Call a function when the state changes.
|
||
|
|
||
|
|
||
|
if (xhr.readyState === 4) {
|
||
|
|
||
|
if (xhr.status === 200) {
|
||
|
|
||
|
//console.log("IN CONTENT SCRIPT: response from GSB:"+xhr.responseText);
|
||
|
|
||
|
blstatus_if=xhr.responseText;
|
||
|
//console.log("if blstatus rcvd"+blstatus_if);
|
||
|
if(blstatus_if.match("malware") || blstatus_if.match("phising") || blstatus_if.match("phishing,malware")){
|
||
|
flag=1;
|
||
|
//console.log("and here is an iframealert");
|
||
|
document.body.innerHTML = "";//$('head link').remove();
|
||
|
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+s2+"<br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
|
||
|
if(r== false){
|
||
|
|
||
|
//console.log("false");
|
||
|
var d1 = new Date ();
|
||
|
var oneday = new Date(d1);
|
||
|
//console.log("1: "+oneday);
|
||
|
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
|
||
|
oneday.setDate(d1.getDate() + 1); //one day from now
|
||
|
//console.log("2: "+oneday);
|
||
|
|
||
|
localStorage.setItem(0, HostProto);
|
||
|
|
||
|
localStorage.setItem(1, oneday);
|
||
|
location.reload();
|
||
|
}
|
||
|
});
|
||
|
}
|
||
|
|
||
|
} else {
|
||
|
console.log('error: '+xhr.statusText);
|
||
|
}
|
||
|
}
|
||
|
};
|
||
|
xhr.send(gsbreq);
|
||
|
|
||
|
|
||
|
|
||
|
/* console.log("if blstatus rcvd"+blstatus_if);
|
||
|
if(blstatus_if.match("malware") || blstatus_if.match("phising") || blstatus_if.match("phishing,malware")){
|
||
|
flag=1;
|
||
|
console.log("and here is an iframealert");
|
||
|
document.body.innerHTML = "";//$('head link').remove();
|
||
|
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+s2+"<br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
|
||
|
if(r== false){
|
||
|
|
||
|
//console.log("false");
|
||
|
var d1 = new Date ();
|
||
|
var oneday = new Date(d1);
|
||
|
//console.log("1: "+oneday);
|
||
|
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
|
||
|
oneday.setDate(d1.getDate() + 1); //one day from now
|
||
|
//console.log("2: "+oneday);
|
||
|
|
||
|
localStorage.setItem(0, HostProto);
|
||
|
|
||
|
localStorage.setItem(1, oneday);
|
||
|
location.reload();
|
||
|
}
|
||
|
});
|
||
|
}*/
|
||
|
}
|
||
|
if (alert3 && flag == 0){
|
||
|
|
||
|
flag = 1;
|
||
|
document.body.innerHTML = "";//$('head link').remove();flag=1;
|
||
|
|
||
|
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+alert3+"<br><br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
|
||
|
if(r== false){
|
||
|
|
||
|
//console.log("false");
|
||
|
var d1 = new Date ();
|
||
|
var oneday = new Date(d1);
|
||
|
//console.log("1: "+oneday);
|
||
|
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
|
||
|
oneday.setDate(d1.getDate() + 1); //one day from now
|
||
|
//console.log("2: "+oneday);
|
||
|
|
||
|
localStorage.setItem(0, HostProto);
|
||
|
|
||
|
localStorage.setItem(1, oneday);
|
||
|
location.reload();
|
||
|
}
|
||
|
});
|
||
|
}
|
||
|
if(alert_sc && flag == 0){
|
||
|
|
||
|
|
||
|
|
||
|
//gsbreq1="1\nhttp://malware.testing.google.test/testing/malware/";
|
||
|
|
||
|
var xhr = new XMLHttpRequest();
|
||
|
|
||
|
xhr.open('POST', 'https://sb-ssl.google.com/safebrowsing/api/lookup?client=firefox&apikey=ABQIAAAAxhNVFd2Bkr2PLooc8AycwBRHPfqIBBZIjrF8eFFZCSSGcCk3eg&appver=1.5.2&pver=3.0', true);
|
||
|
|
||
|
//Send the proper header information along with the request
|
||
|
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
|
||
|
|
||
|
xhr.onreadystatechange = function() {//Call a function when the state changes.
|
||
|
|
||
|
|
||
|
if (xhr.readyState === 4) {
|
||
|
|
||
|
if (xhr.status === 200) {
|
||
|
|
||
|
//console.log("IN CONTENT SCRIPT: response from GSB:"+xhr.responseText);
|
||
|
|
||
|
blstatus_sc=xhr.responseText;
|
||
|
//console.log("if blstatus rcvd"+blstatus_sc);
|
||
|
if(blstatus_sc.match("malware") || blstatus_sc.match("phising") || blstatus_sc.match("phishing,malware")){
|
||
|
flag=1;
|
||
|
//console.log("and here is an scriptalert");
|
||
|
document.body.innerHTML = "";//$('head link').remove();
|
||
|
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+s2+"<br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
|
||
|
if(r== false){
|
||
|
|
||
|
//console.log("false");
|
||
|
var d1 = new Date ();
|
||
|
var oneday = new Date(d1);
|
||
|
//console.log("1: "+oneday);
|
||
|
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
|
||
|
oneday.setDate(d1.getDate() + 1); //one day from now
|
||
|
//console.log("2: "+oneday);
|
||
|
|
||
|
localStorage.setItem(0, HostProto);
|
||
|
|
||
|
localStorage.setItem(1, oneday);
|
||
|
location.reload();
|
||
|
}
|
||
|
});
|
||
|
}
|
||
|
|
||
|
} else {
|
||
|
//console.log('genuine: '+xhr.statusText);
|
||
|
}
|
||
|
}
|
||
|
};
|
||
|
xhr.send(gsbreq1);
|
||
|
|
||
|
|
||
|
|
||
|
/*console.log("if blstatus rcvd"+blstatus_sc);
|
||
|
if(blstatus_sc.match("malware") || blstatus_sc.match("phising") || blstatus_sc.match("phishing,malware")){
|
||
|
flag=1;
|
||
|
console.log("and here is an script alert");
|
||
|
document.body.innerHTML = "";//$('head link').remove();
|
||
|
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+s1+"<br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
|
||
|
if(r== false){
|
||
|
|
||
|
//console.log("false");
|
||
|
var d1 = new Date ();
|
||
|
var oneday = new Date(d1);
|
||
|
//console.log("1: "+oneday);
|
||
|
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
|
||
|
oneday.setDate(d1.getDate() + 1); //one day from now
|
||
|
//console.log("2: "+oneday);
|
||
|
|
||
|
localStorage.setItem(0, HostProto);
|
||
|
|
||
|
localStorage.setItem(1, oneday);
|
||
|
location.reload();
|
||
|
}
|
||
|
});
|
||
|
}*/
|
||
|
}
|
||
|
|
||
|
|
||
|
}
|
||
|
|
||
|
}
|
||
|
else{
|
||
|
|
||
|
var values = localStorage.getItem(1);
|
||
|
values = new Date(values);
|
||
|
var d = new Date();
|
||
|
var m=values-d; //not working "values" and "n" vars are damaged
|
||
|
//console.log("future: "+values+" len: "+values.length);
|
||
|
//console.log("current: "+d+" len: "+d.length);
|
||
|
//console.log("diff: "+m);
|
||
|
if (m<0) {
|
||
|
localStorage.removeItem(0);localStorage.removeItem(1);localStorage.removeItem(2);
|
||
|
}
|
||
|
}
|
||
|
var x=[];
|
||
|
x.push(HostProto); //hostonly
|
||
|
x.push(s2); // hidden iframe
|
||
|
x.push(s1); // unauth red
|
||
|
x.push(warns3); //encode status
|
||
|
x.push(red2); //meta
|
||
|
x.push(Domainreport); //ext domain
|
||
|
x.push(red1); //trackers
|
||
|
|
||
|
|
||
|
popupPort.postMessage({"popupinfo": JSON.stringify(x)});
|
||
|
|
||
|
});
|
||
|
|
||
|
|