nemo
/
js-guard
mirror of https://github.com/captn3m0/js-guard.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
js-guard/firefox/content_script.js

1702 lines
72 KiB
JavaScript
Raw Permalink Blame History

/*
Copyright (c) 2009-2010 C-DAC
All Rights Reserved
Developed by:
C-DAC Hyderabad
Project:
MPS-II
Module Name:
dD.js
************ Module for
i. accesing user requested webpage and monitor for vulnerable tags & javascript injections
ii. injecting a script into webpage to acess javascript functions & its arguments and check for maliciousness ***********************************************************************************************/
//To get full URL
var fullurl=window.location.href;
//only proto
var proto=location.protocol;
var score_ifd=0,score_w=0,score_ev=0,score_sh=0,score_req=0,score=0,shellp1=[],docWrite1=[],re1=[],req1=[],reqq1=[],alertt2=[],alertt3=[];//create global arrays to store the parameters of dynamic functions
/*
* Calling handy injection function for injecting the variables into the webpage
* @returns {undefined}
*/
addJS_Node ("var count=0,shellp=[],docWrite=[],re=[],req=[],reqq=[],alert2=[],alert3=[],al2='';");// create local arrays
/*
* Creating hook to document.create and document.write for obtaining the
* parameters of the respective methods
* @returns {undefined}
*/
function LogDocCreateElement ()
{
var host1=document.location.hostname;
try{
var oldDocumentCreateElement = document.createElement;
document.createElement = function(tagName)
{
var elem = oldDocumentCreateElement.apply (document, arguments);
if (tagName === "script"){
getScriptAttributes (elem, tagName); //Identifying the attributes of suspicious tags
}
if (tagName === "iframe"){
getScriptAttributes (elem, tagName);
}
if (tagName === "a"){
getScriptAttributes (elem, tagName);
}
if (tagName === "link"){
getScriptAttributes (elem, tagName);
}
return elem;
}
//Creating hook to document.write to obtain the parameters of the method
var oldDocumentWrite = document.write;
document.write = function (str)
{
var host1=document.location.hostname;
var elem1 = oldDocumentWrite.apply (document,arguments);
/*
* Filling the content of doc.write into the docWrite array variable
* which is already injected into the webpage
*/
docWrite.push(str);
if(str.length > 20){
encodeJs(str); // verifying the existance of encoded JS
nonPrint(str); //verifying the presence of shellcode;
}
/*
* Checking whether any tags are created through doc.write content
* Uses DOM parser for converting string into DOM format
* @type DOMParser
*/
var parser = new DOMParser();
var div = parser.parseFromString(str, "text/html");
//Verifying the presence of suspicious tags
var tagifr=div.getElementsByTagName("iframe");
var tagsc=div.getElementsByTagName("script");
//iframe properties
if(tagifr.length>0){
/* ---- Retrieving the attributes of the iframe tag ---- */
for(var j=0;j<tagifr.length;j++)
{
if(tagifr[j].src){
var x,y,styl,src,ext;
x=tagifr[j].height; // height
y=tagifr[j].width; // width
styl=tagifr[j].style;
src=tagifr[j].src;
if(x || y || styl)
{
if(x)
{
if(x.match(/px/gi))
{
ext = x.substring(0, x.length-2);
if(ext < 3)
{
domainmatch(src);
}
}
else if(x<3)
{
domainmatch(src);
}
}
else if(y)
{
if(y.match(/px/gi))
{
ext = y.substring(0, y.length-2);
if(ext < 3)
{
domainmatch(src);
}
}
else if(y<3)
{
domainmatch(src);
}
}
else if(styl)
{
var str,d=0;
if(String(styl).match(/;/))
{
var arr_str = String(styl).split(";");
while(d < arr_str.length){
str = arr_str[d].split(":");
if(str[0] === "height" || str[0] === "width"){
var ext = str[1].substring(0, str[1].length-2);
if(ext < 3){
domainmatch(src);
}
}
else if(str[0] === "left" || str[0] === "right" || str[0] === "top" || str[0] === "bottom"){
var ext = str[1].substring(0, str[1].length-2);
if(ext < -99){
domainmatch(src);
}
}
else if(str[0] === "visibility" || str[0] === "display"){
if(str[1].match(/hidden/gi) || str[1].match(/none/gi)){
domainmatch(src);
}
}
d++;
}
}
else if(String(styl).match(/:/))
{
str = String(styl).split(":");
if(str[0] === "visibility" || str[0] === "display"){
if(str[1].match(/hidden/gi) || str[1].match(/none/gi)){
domainmatch(src);
}
}
}
}
}
}
}
}
/*
* Monitoring the Script tag creating through doc.write
*/
if(tagsc.length>0)
{
for(var m=0;m<tagsc.length;m++)
{
if(tagsc[m].src)
{
var flag1=0,srcc1, srcc, src2, patt2=/.js/g ;
var TLDS = new Array(/com/gi, /net/gi, /in/gi);
var myvar = tagsc[m].src;
srcc1=myvar.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
var parts = srcc1.split('.');
var srcc = parts.slice(-1).join('.');
// filtered com/in/net sites to reduce false positives
/* for(var k=0;k<TLDS.length;k++)
{
if(srcc.match(TLDS[k]) !== null){
flag1=1;
}
}*/ // commented bcoz anyway we r cross verifying with gsb
/*
* Finding Redirectors in Script tag if the domain name
* does not belongs to TLDS array patterns
*/
if(host1.match(srcc1) === null && srcc1.match(host1) === null && flag1 === 0 && !re.length){
//if((host1.match(srcc1) === null && myvar.match(host1) === null) && tagsc[m].src.match(host1) === null && flag1 === 0 && !re.length){
var talert1="";
if(tagsc[m].src.match(patt2) !== null){
if(tagsc[m].src.match("\\.js.php")!==null || tagsc[m].src.match("\\.php.js")!==null || tagsc[m].src.match("jquery.min.php")!==null){
src2='Evil URL(s) ::<br> '+srcc1;
talert1 += "\n"+srcc1;
re.push('Threat:: Malicious JS Redirector<br>'+src2);
req.push('<b>Malicious JS:Redirector</b><br>'+src2);
}
}
//checking for non js(php/asp) pattern
else {
if(tagsc[m].src.match("\\.php")!==null ){
src2='Evil URL is ::: '+srcc1;
talert1 += "\n"+srcc1;
re.push('Threat:: Malicious JS Redirector<br>'+src2);
req.push('<b>Malicious JS Redirector</b><br>'+src2);
}
}
sessionStorage.setItem("alertsc1", JSON.stringify(talert1));
}
}
}
}//if
return elem1;
}
}//try
catch(err)
{
//alert("error");
}
/*
* Detecting Encoded JavaScript in the content of the doc.write
* @param {type} text
* @returns {undefined}
*/
function encodeJs(text)
{
var scriptstring = text.replace(/(\r\n|\n|\r)/gm,""); //convert the innerHTML to one line, easier to match
if(scriptstring.length>250){
/*dividing into lines, then words, then word size*/
var words;
var lines = scriptstring.split(";");
for(var m = 0; (lines !== null) && (m<lines.length); m++) {
words = lines[m].split(" ");
for(var k = 0; (words !== null) && (k<words.length); k++) {
if(words[k].length > 5000){
shellp.push("Wdyn: 1 ");
}
}
}
// pecentage of digits in each script
var indScriptLength = scriptstring.length;
var indNumLength = scriptstring.replace(/\D/g, '').length;
var inddigitdensity=((indNumLength*100)/indScriptLength);
if(((indNumLength*100)/indScriptLength) > 30){
shellp.push("IDDdyn: 1 ");
}
/* n-gram for individual script*/
var specialChars = new Array (/%/g,/$/g,/</g,/>/g,/@/g,/!/g,/#/g,/^/g,/&/g,/\*/g,/\(/g,/\)/g,/_/g,/\+/g,/\[/g,/\]/g,/\{/g,/\}/g,/\?/g,/:/g,/;/g,/'/g,/"/g,/,/g,/\./g,/\//g,/~/g,/\`/g,/-/g,/=/g,/\\/g);
var totalnumbersc=0, encodenumbers=0, encodedanddigitnumbers=0;
for(var n = 0; n < specialChars.length;n++){
if(scriptstring.match(specialChars[n])){
totalnumbersc +=scriptstring.match(specialChars[n]).length;
if(n==0 || n== 4 || n == 5 || n==12 || n ==22 || n==23)
{
encodenumbers +=scriptstring.match(specialChars[n]).length;
}
}
}
encodedanddigitnumbers=(indNumLength) + (encodenumbers);
indspdensity=(encodedanddigitnumbers*100)/scriptstring.length;
if(indspdensity > 50){
// shellp.push("ISPdyn: 1 ");
var scriptstringN = scriptstring.replace(/[^a-zA-Z]/g,'');
if((scriptstringN.match(/unescape/g) || scriptstringN.match(/fromCharCode/g)) && !alert3){
alert3.push("Threat:: Encoded JavaScript Malware</n>");
shellp.push("Threat:: Encoded JavaScript Malware"+"<br>"+"Malicious content is:: " +scriptstring);
}
}
}
}
/*
* Detecting Non printable characters or shellcode in the content of doc.write
* @param {type} text
* @returns {undefined}
*/
function nonPrint(text)
{
var pat=/[^\x00-\x80]+/g;//Regex for checking non-printable characters
if(pat.test(text))
{
shellp.push("Non Printable characters are present\n");
shellp.push(text);
}
var r = new RegExp("^[a-f0-9]+$", 'i');//regex for identifying consecutive Hexadecimal characters in a string
if(r.test(text))
{
shellp.push("consecutive block of hexadecimal characters\n");
shellp.push(text);
}
}
/*
* Cross verify the source of the hidden iframe property with the host name
* of the original URL and if it does not belongs to the same origin then
* alerts the user
* @param {type} src
* @returns {undefined}
*/
function domainmatch(src)
{
/* //whitelist, 3rd party advertising sites and tracking sites*/
var whitelist = new Array (/about:blank/gi,/blank.html/gi,/wp/gi,/*/google/gi ,*//facebook/gi ,/youtube/gi ,/quantserve/gi ,/vizury/gi , /Media/gi , /33across/gi , /AOLAdvertising/gi , /AWeber/gi , /Acerno/gi , /AcxiomRelevance-X/gi , /AdLegend/gi , /AdMeld/gi , /AdNexus/gi , /AdSafe/gi , /AdShuffle/gi , /AdTech/gi , /Adap.TV/gi , /AdaptiveBlueSmartlinks/gi , /AdaraMedia/gi , /Adblade/gi , /Adbrite/gi , /Adcentric/gi , /Adconion/gi , /AddThis/gi , /AddToAny/gi , /Adify/gi , /Adition/gi , /Adjuggler/gi , /AdnetInteractive/gi , /Adnetik/gi , /Adreactor/gi , /Adrolays/gi , /Adroll/gi , /Advertise.com/gi , /Advertising.com/gi , /Adxpose/gi , /Adzerk/gi ,/affinity/gi , /AggregateKnowledge/gi , /AlexaMetrics/gi , /AlmondNet/gi , /Aperture/gi , /BTBuckets/gi , /Baynote/gi , /Bing/gi , /Bizo/gi , /BlogRollr/gi , /Blogads/gi , /BlueKai/gi , /BlueLithium/gi , /BrandReach/gi , /BrightTag/gi , /Brightcove/gi , /Brightroll/gi , /Brilig/gi , /BurstMedia/gi , /BuySellAds/gi , /CNETTracking/gi , /CPXInteractive/gi , /CasaleMedia/gi , /CedexisRadar/gi , /CertonaResonance/gi , /Chango/gi , /ChannelAdvisor/gi , /ChartBeat/gi , /Checkm8/gi , /Chitika/gi , /ChoiceStream/gi , /ClearSaleing/gi , /ClickDensity/gi , /Clickability/gi , /Clicksor/gi , /Clicktale/gi , /Clicky/gi , /CognitiveMatch/gi , /Collarity/gi , /CollectiveMedia/gi , /Comscore Beacon/gi , /Connextra/gi , /ContextWeb/gi , /CoreMetrics/gi , /CrazyEgg/gi , /Criteo/gi , /Cross PixelMedia/gi , /CrowdScience/gi , /DC Storm/gi , /Dapper/gi , /DedicatedMedia/gi , /Demandbase/gi , /Demdex/gi , /DeveloperMedia/gi , /Didit/gi , /DiggWidget/gi , /DiggThis/gi , /Disqus/gi , /Dotomi/gi , /DoubleVerify/gi , /Doubleclick/gi , /DynamicLogic/gi , /EffectiveMeasure/gi , /Eloqua/gi , /Ensighten/gi , /EpicMarketplace/gi , /Etology/gi , /Evidon/gi , /Exponential/gi , /EyeWonder/gi , /Facebook Beacon/gi , /FacebookConnect/gi , /FederatedMedia/gi , /Feedjit/gi , /FetchBack/gi , /Flashtalking/gi , /ForeseeResults/gi , /FoxAudienceNetwork/gi , /FreeWheel/gi , /GetSatisfaction/gi , /Gigya/gi , /GlamMedia/gi , /Gomez/gi , /GoogleAdsense/gi , /GoogleAdwordsConversion/gi , /GoogleAnalytics/gi , /GoogleFriendConnect/gi , /GoogleWebsiteOptimizer/gi , /GoogleWidgets/gi , /Gravatar/gi , /Gravity/gi , /Hellobar/gi , /HitTail/gi , /Hurra/gi , /InfoLinks/gi , /Inkfrog/gi , /InsightExpress/gi , /InterClick/gi , /InviteMedia/gi , /Iovation/gi , /KissMetrics/gi , /KonteraContentLink/gi , /KruxDigital/gi , /LeadLander/gi , /Leadformix/gi , /Leadsius/gi , /LifeStreet Media/gi , /Lijit/gi , /LinkedIn/gi , /Linkshare/gi , /LiveInternet/gi , /LivePerson/gi , /Lotame/gi , /LucidMedia/gi , /LyrisClicktracks/gi , /MAGNETIC/gi , /MSNAds/gi , /MarinSoftware/gi , /MarketGID/gi , /Marketo/gi , /MaxPointInteractive/gi , /Maxymizer/gi , /MediaInnovationGroup/gi , /Media6Degrees/gi , /MediaMath/gi , /MediaMind/gi , /MediaPlex/gi , /Meebo/gi , /Mercent/gi , /Meteor/gi , /MicrosoftAnalytics/gi , /MicrosoftAtlas/gi , /MindsetMedia/gi , /Mint/gi , /Mixpanel/gi , /Monetate/gi , /MyBlogLog/gi , /NDN/gi , /Navegg/gi , /NetMining/gi , /NetShelter/gi , /NetratingsSiteCensus/gi , /NewRelic/gi , /NewsRight/gi , /NextAction/gi , /Nuggad/gi , /Omniture/gi , /OpenAds/gi , /OpenX/gi , /Optimizely/gi , /Optimost/gi , /OutBrain/gi , /OwnerIQ/gi , /PO.ST/gi , /Parse.ly/gi , /Piwik/gi , /PointRoll/gi , /PostRank/gi , /Pubmatic/gi , /Qualaroo/gi , /Quantcast/gi , /QuigoAdsonar/gi , /RadiumOne/gi , /RapLeaf/gi , /RealMedia/gi , /Reinvigorate/gi , /Relestar/gi , /RevenueScience/gi , /RevenueMantra/gi , /RightMedia/gi , /RocketFuel/gi , /Rubicon/gi , /RubiconProject/gi , /SafeCount/gi , /Salesforce/gi , /ShareThis/gi , /SiteMeter/gi , /SiteScout/gi , /SkimLinks/gi , /Smart Adserver/gi , /Snaps/gi , /Snoobi/gi , /Specific Meida/gi , /SpecificClick/gi , /Sphere/gi , /StatCounter/gi , /TARGUSinfoAdAdvisor/gi , /Taboola/gi , /Tacoda/gi , /TeaLeaf/gi , /Tealium/gi , /Technorati/gi , /TechnoratiMedia/gi , /Tellapart/gi , /Teracent/gi , /TestandTarget/gi , /TidalTV/gi , /TorbitInsight/gi , /TradeDoubler/gi , /TravelAdvertising/gi , /TremorVideo/gi , /TribalFusion/gi , /Tumri/gi , /Turn/gi , /TweetMeme/gi , /TwitterBadge/gi , /TyntTracer/gi , /Typekit/gi , /UnderdogMedia/gi , /UndertoneNetworks/gi , /Unica/gi , /ValueClick/gi , /ValuedOpinions/gi , /VibrantAds/gi , /VigLink/gi , /VisualSciences/gi , /VisualWebsiteOptimizer/gi , /VisualRevenue/gi , /ViziSense/gi , /Vizu/gi , /Vizury/gi ,/WebAds/gi , /Webtrends/gi , /Whos.amung.us/gi , /Wibiya/gi , /Woopra/gi , /WordpressStats/gi , /WorldNow/gi , /XGraph/gi , /Yadro/gi , /YahooBuzz/gi , /YahooWebAnalytics/gi , /YuMeNetworks/gi , /Zango/gi , /Zedo/gi , /Zemanta/gi , /e-planning/gi , /eXTReMe Tracking/gi , /eXelate/gi , /etracker/gi , /iPerception/gi, /bs.serving-sys.com/gi, /hitwebcounter/gi, /freecounterstat/gi, /yieldmanager/gi, /adnxs/gi, /scorecard/gi);
var flag=0, src1, dalert2="", srcc1;
al2+=reqq;
srcc1=src.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
if((host1.match(srcc1) === null && src.match(host1) === null) && al2.match(srcc1) ===null){
for(var m=0;m<whitelist.length;m++)
{
if(srcc1.match(whitelist[m]) !== null){
flag=1;
return;
}
}
if(flag===0 && !al2){
dalert2 += "\n"+srcc1;
alert2.push("\n"+srcc1);
reqq.push("<b>JS:Hidden Iframe<br>URL(s)::</b><br>==>"+src);
}
else if(flag===0 && al2 && al2.match(srcc1) === null){
alert2.push("\n"+srcc1);
reqq.push("<br>==>"+src);
dalert2 += "\n"+srcc1;
}
sessionStorage.setItem("alertif1", dalert2);
}
}
shellp1=shellp;
docWrite1=docWrite;
re1=re;
req1=req;
reqq1=reqq;
alertt2=alert2;
alertt3=alert3;
}
/*
* Analyzing the content of document.createElement function
* @param {type} elem : Properties of tags present in the contents
* @param {type} tagName : Name of the tag present in the contents
* @param {type} timerIntVar
* @returns {undefined}
*/
function getScriptAttributes (elem, tagName, timerIntVar)
{
var host1=document.location.hostname;
/*--- Because the tags won't be set for some while, we need
to poll for when they are added.
---Tracking the attributes which can redirect to malcious web page---*/
if (elem.src && elem.src !== "/blank.html" && elem.src !=="about:blank")
{
doneWaiting ();
var flag1=0, src2, srcc1, srcc, patt2=/.js/g ;
var TLDS = new Array(/com/gi, /net/gi, /in/gi);
var myvar = elem.src;
srcc1=myvar.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
var parts = srcc1.split('.');
srcc = parts.slice(-1).join('.');
/* for(var m=0;m<TLDS.length;m++)
{
if(srcc.match(TLDS[m]) !== null){
flag1=1;
}
}*/ // anyway cross verifying with gsb
if(tagName === "iframe")
{
var x,y,src,ext;
x=elem.height; // height
y=elem.width; // width
stylh=elem.style.height; //style
stylw=elem.style.width;
styll=elem.style.left; //style
stylr=elem.style.right;
stylt=elem.style.top; //style
stylb=elem.style.bottom;
stylv=elem.style.visibility;
styld=elem.style.display;
src=elem.src;
if(x || y || stylh || stylw || stylv || styld)
{
if(x)
{
if(x.match(/px/gi))
{
var ext = x.substring(0, x.length-2);
if(ext < 3)
{
domainmatch1(src);
}
}
else if(x<3)
{
domainmatch1(src);
}
}
if(y)
{
if(y.match(/px/gi))
{
var ext = y.substring(0, y.length-2);
if(ext < 3)
{
domainmatch1(src);
}
}
else if(y<3)
{
domainmatch1(src);
}
}
if(stylh)
{
if(stylh.match(/px/gi))
{
var ext = stylh.substring(0, stylh.length-2);
if(ext < 3)
{
domainmatch1(src);
}
}
else if(stylh<3)
{
domainmatch1(src);
}
}
if(stylw)
{
if(stylw.match(/px/gi))
{
var ext = stylw.substring(0, stylw.length-2);
if(ext < 3)
{
domainmatch1(src);
}
}
else if(stylw<3)
{
domainmatch1(src);
}
}
if(stylv)
{
if(stylv.match(/hidden/gi))
{
domainmatch1(src);
}
}
if(styld)
{
if(styld.match(/none/gi))
{
domainmatch1(src);
}
}
}
if(styll || stylr || stylt || stylb)
{
if(styll){
var ext = styll.substring(0, styll.length-2);
if(ext < -99)
{
domainmatch1(src);
}
}
if(stylr){
var ext = stylr.substring(0, stylr.length-2);
if(ext < -99)
{
domainmatch1(src);
}
}
if(stylt){
var ext = stylt.substring(0, stylt.length-2);
if(ext < -99)
{
domainmatch1(src);
}
}
if(stylb){
var ext = stylb.substring(0, stylb.length-2);
if(ext < -99)
{
domainmatch1(src);
}
}
}
} //iframe
else if(elem.src.match(host1) === null && host1.match(srcc1) === null && flag1 === 0 && !re.length){
var myvar = elem.src,ttalert1="";
var s1=myvar.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
if(elem.src.match(patt2) !== null){
if(elem.src.match("\\.js.php")!==null || elem.src.match("\\.php.js")!==null || elem.src.match("jquery.min.php")!==null){
src2='Evil URL(s) ::: '+elem.src;
ttalert1 += "\n"+elem.src;
re.push('Threat:: Malicious JS Redirector<br>'+src2);
req.push('<b>Malicious JS Redirector</b><br>'+src2);
}
}
//checking for non js(php/asp) pattern
else {
if(elem.src.match("\\.php")!==null ){//console.log("dcs: "+s1);
src2='Evil URL is ::: '+s1;
ttalert1 += "\n"+elem.src;
re.push('Threat:: Malicious JS Redirector<br>'+src2);
req.push('<b>Malicious JS Redirector</b><br>'+src2);
}
}
sessionStorage.setItem("alertsc2", JSON.stringify(ttalert1));
}
}
else
{
if ( ! timerIntVar) //Setting the time interval to wait for the tags untill they are well-set
{
var timerIntVar = setInterval
(
function ()
{
getScriptAttributes (elem, tagName,timerIntVar);
},
50
);
}
}
function doneWaiting () //clear the time interval when the tags are set
{
if (timerIntVar)
{
clearInterval (timerIntVar);
}
}
function domainmatch1(src){
//whitelist, 3rd party advertising sites and tracking sites
var dots=src.match(/\./g);
if(src === null || !dots){
return;
}
var whitelist = new Array (/about:blank/gi,/blank.html/gi,/wp/gi,/*/google/gi,*//facebook/gi ,/youtube/gi ,/quantserve/gi ,/vizury/gi , /Media/gi , /33across/gi , /AOLAdvertising/gi , /AWeber/gi , /Acerno/gi , /AcxiomRelevance-X/gi , /AdLegend/gi , /AdMeld/gi , /AdNexus/gi , /AdSafe/gi , /AdShuffle/gi , /AdTech/gi , /Adap.TV/gi , /AdaptiveBlueSmartlinks/gi , /AdaraMedia/gi , /Adblade/gi , /Adbrite/gi , /Adcentric/gi , /Adconion/gi , /AddThis/gi , /AddToAny/gi , /Adify/gi , /Adition/gi , /Adjuggler/gi , /AdnetInteractive/gi , /Adnetik/gi , /Adreactor/gi , /Adrolays/gi , /Adroll/gi , /Advertise.com/gi , /Advertising.com/gi , /Adxpose/gi , /Adzerk/gi ,/affinity/gi , /AggregateKnowledge/gi , /AlexaMetrics/gi , /AlmondNet/gi , /Aperture/gi , /BTBuckets/gi , /Baynote/gi , /Bing/gi , /Bizo/gi , /BlogRollr/gi , /Blogads/gi , /BlueKai/gi , /BlueLithium/gi , /BrandReach/gi , /BrightTag/gi , /Brightcove/gi , /Brightroll/gi , /Brilig/gi , /BurstMedia/gi , /BuySellAds/gi , /CNETTracking/gi , /CPXInteractive/gi , /CasaleMedia/gi , /CedexisRadar/gi , /CertonaResonance/gi , /Chango/gi , /ChannelAdvisor/gi , /ChartBeat/gi , /Checkm8/gi , /Chitika/gi , /ChoiceStream/gi , /ClearSaleing/gi , /ClickDensity/gi , /Clickability/gi , /Clicksor/gi , /Clicktale/gi , /Clicky/gi , /CognitiveMatch/gi , /Collarity/gi , /CollectiveMedia/gi , /Comscore Beacon/gi , /Connextra/gi , /ContextWeb/gi , /CoreMetrics/gi , /CrazyEgg/gi , /Criteo/gi , /Cross PixelMedia/gi , /CrowdScience/gi , /DC Storm/gi , /Dapper/gi , /DedicatedMedia/gi , /Demandbase/gi , /Demdex/gi , /DeveloperMedia/gi , /Didit/gi , /DiggWidget/gi , /DiggThis/gi , /Disqus/gi , /Dotomi/gi , /DoubleVerify/gi , /Doubleclick/gi , /DynamicLogic/gi , /EffectiveMeasure/gi , /Eloqua/gi , /Ensighten/gi , /EpicMarketplace/gi , /Etology/gi , /Evidon/gi , /Exponential/gi , /EyeWonder/gi , /Facebook Beacon/gi , /FacebookConnect/gi , /FederatedMedia/gi , /Feedjit/gi , /FetchBack/gi , /Flashtalking/gi , /ForeseeResults/gi , /FoxAudienceNetwork/gi , /FreeWheel/gi , /GetSatisfaction/gi , /Gigya/gi , /GlamMedia/gi , /Gomez/gi , /GoogleAdsense/gi , /GoogleAdwordsConversion/gi , /GoogleAnalytics/gi , /GoogleFriendConnect/gi , /GoogleWebsiteOptimizer/gi , /GoogleWidgets/gi , /Gravatar/gi , /Gravity/gi , /Hellobar/gi , /HitTail/gi , /Hurra/gi , /InfoLinks/gi , /Inkfrog/gi , /InsightExpress/gi , /InterClick/gi , /InviteMedia/gi , /Iovation/gi , /KissMetrics/gi , /KonteraContentLink/gi , /KruxDigital/gi , /LeadLander/gi , /Leadformix/gi , /Leadsius/gi , /LifeStreet Media/gi , /Lijit/gi , /LinkedIn/gi , /Linkshare/gi , /LiveInternet/gi , /LivePerson/gi , /Lotame/gi , /LucidMedia/gi , /LyrisClicktracks/gi , /MAGNETIC/gi , /MSNAds/gi , /MarinSoftware/gi , /MarketGID/gi , /Marketo/gi , /MaxPointInteractive/gi , /Maxymizer/gi , /MediaInnovationGroup/gi , /Media6Degrees/gi , /MediaMath/gi , /MediaMind/gi , /MediaPlex/gi , /Meebo/gi , /Mercent/gi , /Meteor/gi , /MicrosoftAnalytics/gi , /MicrosoftAtlas/gi , /MindsetMedia/gi , /Mint/gi , /Mixpanel/gi , /Monetate/gi , /MyBlogLog/gi , /NDN/gi , /Navegg/gi , /NetMining/gi , /NetShelter/gi , /NetratingsSiteCensus/gi , /NewRelic/gi , /NewsRight/gi , /NextAction/gi , /Nuggad/gi , /Omniture/gi , /OpenAds/gi , /OpenX/gi , /Optimizely/gi , /Optimost/gi , /OutBrain/gi , /OwnerIQ/gi , /PO.ST/gi , /Parse.ly/gi , /Piwik/gi , /PointRoll/gi , /PostRank/gi , /Pubmatic/gi , /Qualaroo/gi , /Quantcast/gi , /QuigoAdsonar/gi , /RadiumOne/gi , /RapLeaf/gi , /RealMedia/gi , /Reinvigorate/gi , /Relestar/gi , /RevenueScience/gi , /RevenueMantra/gi , /RightMedia/gi , /RocketFuel/gi , /Rubicon/gi , /RubiconProject/gi , /SafeCount/gi , /Salesforce/gi , /ShareThis/gi , /SiteMeter/gi , /SiteScout/gi , /SkimLinks/gi , /Smart Adserver/gi , /Snaps/gi , /Snoobi/gi , /Specific Meida/gi , /SpecificClick/gi , /Sphere/gi , /StatCounter/gi , /TARGUSinfoAdAdvisor/gi , /Taboola/gi , /Tacoda/gi , /TeaLeaf/gi , /Tealium/gi , /Technorati/gi , /TechnoratiMedia/gi , /Tellapart/gi , /Teracent/gi , /TestandTarget/gi , /TidalTV/gi , /TorbitInsight/gi , /TradeDoubler/gi , /TravelAdvertising/gi , /TremorVideo/gi , /TribalFusion/gi , /Tumri/gi , /Turn/gi , /TweetMeme/gi , /TwitterBadge/gi , /TyntTracer/gi , /Typekit/gi , /UnderdogMedia/gi , /UndertoneNetworks/gi , /Unica/gi , /ValueClick/gi , /ValuedOpinions/gi , /VibrantAds/gi , /VigLink/gi , /VisualSciences/gi , /VisualWebsiteOptimizer/gi , /VisualRevenue/gi , /ViziSense/gi , /Vizu/gi , /Vizury/gi ,/WebAds/gi , /Webtrends/gi , /Whos.amung.us/gi , /Wibiya/gi , /Woopra/gi , /WordpressStats/gi , /WorldNow/gi , /XGraph/gi , /Yadro/gi , /YahooBuzz/gi , /YahooWebAnalytics/gi , /YuMeNetworks/gi , /Zango/gi , /Zedo/gi , /Zemanta/gi , /e-planning/gi , /eXTReMe Tracking/gi , /eXelate/gi , /etracker/gi , /iPerception/gi, /bs.serving-sys.com/gi, /hitwebcounter/gi, /freecounterstat/gi, /yieldmanager/gi, /adnxs/gi, /scorecard/gi);
var flag=0, ddalert2="",srcc1;
al2+=reqq;
srcc1=src.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
if((host1.match(srcc1) === null && src.match(host1) === null) && al2.match(srcc1) ===null){
for(var m=0;m<whitelist.length;m++)
{
if(srcc1.match(whitelist[m]) !== null){//alert("alert");
flag=1;
return;
}
}
if(flag===0 && !al2){
alert2.push("\n"+srcc1);
ddalert2 += "\n"+srcc1;
reqq.push("<b>JS:Hidden Iframe<br>URL(s)::</b><br>==>"+src);
}
else if(flag===0 && al2 && al2.match(srcc1) === null){
alert2.push("\n"+srcc1);
ddalert2 += "\n"+srcc1;
reqq.push("<br>==>"+src);
}
sessionStorage.setItem("alertif2",ddalert2);
}
}
}
//---Injecting the above methods to the web page
addJS_Node (getScriptAttributes.toString());
//---Injecting the above method to the web page
addJS_Node (null, null, LogDocCreateElement);
//--- Handy injection function.
function addJS_Node (text, s_URL, funcToRun) {
/*--- This function is for injecting the desired functionality in the web page by creating a script tag */
var D = window.document;
var scriptNode = D.createElement ('script');
scriptNode.type = "text/javascript";
if (text){ scriptNode.textContent = text;}
if (s_URL){ scriptNode.src = s_URL;}
if (funcToRun) scriptNode.textContent = '(' + funcToRun.toString() + ')()';
var targ = D.getElementsByTagName ('head')[0] || D.body || D.documentElement;
targ.appendChild (scriptNode);
targ.removeChild (scriptNode);
}
/* when the page is loaded Send emit all the parameters to addon sciript */
$(document).ready(function(){
/* adding css to alert */
var css =' #cdac_container { font-family: Arial, sans-serif !important; font-size: 12px !important; min-width: 300px !important;max-width: 600px !important; text-align: inherit !important; background: #e8f9ff !important; border: solid 5px #B40404 !important; color: #000 !important; -webkit-border-radius: 5px !important; border-radius: 5px !important;} #cdac_title { display: inherit !important; font-family: inherit !important; font-size: 14px !important; font-weight: bold !important; text-align: left !important; line-height: 1.75em !important; color: #FFF !important; text-shadow: inherit !important; height:inherit !important; width:inherit !important; position:static !important; background: #B40404 repeat-x center top !important; border: solid 1px #B40404 !important; border-bottom: solid 1px #B40404 !important; cursor: default !important; padding: 0em !important; margin: 0em !important; float: none !important; } .cdac_inputred { background: none !important; background-color:#E6E6E6 !important; color:#DF3A01 !important; font-weight: bold;} .cdac_inputgreen { background: none !important; background-color: #E6E6E6 !important; color:#298A08 !important; font-weight: bold;} #cdac_content { padding: 1em 1.75em !important; margin: 0em !important; } #cdac_message { padding-left: 48px !important; color: #000 !important; } #cdac_panel { text-align: center !important; margin: 1em 0em 0em 1em !important; } #cdac_prompt { margin: .5em 0em !important; }#cdac_content.confirm { background:16px 16px no-repeat url(cdac18.png) !important;}',
head = document.getElementsByTagName('head')[0],
style = document.createElement('style');
style.type = 'text/css';
if (style.styleSheet){
style.styleSheet.cssText = css;
} else {
style.appendChild(document.createTextNode(css));
}
head.appendChild(style);
var i,ev="",res="",reqs="";var docW="";var reqqs="";var shellps="";var alertts="",encodes="",Head="CDAC's Browser JSGuard Warning";
if (typeof window.re1 != 'undefined') {
//console.log("window.re1 success");
if( window.re1.length>0)
{
for(i=0;i< window.re1.length;i++)
{
res+= window.re1[i]+"<br>";
}
score_req=1;
}
if( window.req1.length>0)
{
for(i=0;i< window.req1.length;i++)
{
reqs+= window.req1[i]+"<br>";
}
score_req=1;
}
if( window.reqq1.length>0)
{
for(i=0;i< window.reqq1.length;i++)
{
reqqs+= window.reqq1[i]+"<br>";
}
score_ifd=1;
}
if( window.alertt2.length>0)
{
for(i=0;i< window.alertt2.length;i++)
{
//alertts+= alertt2[i]+"<br>";
alertts+= window.alertt2[i];
}
score_ifd=1;
}
if( window.alertt3.length>0)
{
for(i=0;i< window.alertt3.length;i++)
{
encodes+= window.alertt3[i]+"<br>";
}
score_ifd=1;
}
if( window.docWrite1.length>0)
{
for(i=0;i< window.docWrite1.length;i++)
{
docW+= window.docWrite1[i]+"<br>";
}
score_w=1;
}
if( window.shellp1.length>0)
{
for(i=0;i< window.shellp1.length;i++)
{
shellps+= window.shellp1[i]+"<br>";
}
score_sh=1;
}
}
else{
if( re1.length>0)
{
for(i=0;i< re1.length;i++)
{
res+= re1[i]+"<br>";
}
score_req=1;
}
if( req1.length>0)
{
for(i=0;i< req1.length;i++)
{
reqs+= req1[i]+"<br>";
}
score_req=1;
}
if( reqq1.length>0)
{
for(i=0;i< reqq1.length;i++)
{
reqqs+= reqq1[i]+"<br>";
}
score_ifd=1;
}
if( alertt2.length>0)
{
for(i=0;i< alertt2.length;i++)
{
//alertts+= alertt2[i]+"<br>";
alertts+= alertt2[i];
}
score_ifd=1;
}
if( alertt3.length>0)
{
for(i=0;i< alertt3.length;i++)
{
encodes+= alertt3[i]+"<br>";
}
score_ifd=1;
}
if( docWrite1.length>0)
{
for(i=0;i< docWrite1.length;i++)
{
docW+= docWrite1[i]+"<br>";
}
score_w=1;
}
if( shellp1.length>0)
{
for(i=0;i< shellp1.length;i++)
{
shellps+= shellp1[i]+"<br>";
}
score_sh=1;
}
}
score=score_ifd+score_ev+score_sh+score_w;
//whitelistgi , 3rd party advertising sites and tracking sites
var whitelist = new Array (/about:blank/gi,/blank.html/gi,/wp/gi,/javascript:/gi,/*/google/gi ,*//facebook/gi ,/youtube/gi ,/quantserve/gi ,/vizury/gi , /Media/gi , /33across/gi , /AOLAdvertising/gi , /AWeber/gi , /Acerno/gi , /AcxiomRelevance-X/gi , /AdLegend/gi , /AdMeld/gi , /AdNexus/gi , /AdSafe/gi , /AdShuffle/gi , /AdTech/gi , /Adap.TV/gi , /AdaptiveBlueSmartlinks/gi , /AdaraMedia/gi , /Adblade/gi , /Adbrite/gi , /Adcentric/gi , /Adconion/gi , /AddThis/gi , /AddToAny/gi , /Adify/gi , /Adition/gi , /Adjuggler/gi , /AdnetInteractive/gi , /Adnetik/gi , /Adreactor/gi , /Adrolays/gi , /Adroll/gi , /Advertise.com/gi , /Advertising.com/gi , /Adxpose/gi , /Adzerk/gi ,/affinity/gi , /AggregateKnowledge/gi , /AlexaMetrics/gi , /AlmondNet/gi , /Aperture/gi , /BTBuckets/gi , /Baynote/gi , /Bing/gi , /Bizo/gi , /BlogRollr/gi , /Blogads/gi , /BlueKai/gi , /BlueLithium/gi , /BrandReach/gi , /BrightTag/gi , /Brightcove/gi , /Brightroll/gi , /Brilig/gi , /BurstMedia/gi , /BuySellAds/gi , /CNETTracking/gi , /CPXInteractive/gi , /CasaleMedia/gi , /CedexisRadar/gi , /CertonaResonance/gi , /Chango/gi , /ChannelAdvisor/gi , /ChartBeat/gi , /Checkm8/gi , /Chitika/gi , /ChoiceStream/gi , /ClearSaleing/gi , /ClickDensity/gi , /Clickability/gi , /Clicksor/gi , /Clicktale/gi , /Clicky/gi , /CognitiveMatch/gi , /Collarity/gi , /CollectiveMedia/gi , /Comscore Beacon/gi , /Connextra/gi , /ContextWeb/gi , /CoreMetrics/gi , /CrazyEgg/gi , /Criteo/gi , /Cross PixelMedia/gi , /CrowdScience/gi , /DC Storm/gi , /Dapper/gi , /DedicatedMedia/gi , /Demandbase/gi , /Demdex/gi , /DeveloperMedia/gi , /Didit/gi , /DiggWidget/gi , /DiggThis/gi , /Disqus/gi , /Dotomi/gi , /DoubleVerify/gi , /Doubleclick/gi , /DynamicLogic/gi , /EffectiveMeasure/gi , /Eloqua/gi , /Ensighten/gi , /EpicMarketplace/gi , /Etology/gi , /Evidon/gi , /Exponential/gi , /EyeWonder/gi , /Facebook Beacon/gi , /FacebookConnect/gi , /FederatedMedia/gi , /Feedjit/gi , /FetchBack/gi , /Flashtalking/gi , /ForeseeResults/gi , /FoxAudienceNetwork/gi , /FreeWheel/gi , /GetSatisfaction/gi , /Gigya/gi , /GlamMedia/gi , /Gomez/gi , /GoogleAdsense/gi , /GoogleAdwordsConversion/gi , /GoogleAnalytics/gi , /GoogleFriendConnect/gi , /GoogleWebsiteOptimizer/gi , /GoogleWidgets/gi , /Gravatar/gi , /Gravity/gi , /Hellobar/gi , /HitTail/gi , /Hurra/gi , /InfoLinks/gi , /Inkfrog/gi , /InsightExpress/gi , /InterClick/gi , /InviteMedia/gi , /Iovation/gi , /KissMetrics/gi , /KonteraContentLink/gi , /KruxDigital/gi , /LeadLander/gi , /Leadformix/gi , /Leadsius/gi , /LifeStreet Media/gi , /Lijit/gi , /LinkedIn/gi , /Linkshare/gi , /LiveInternet/gi , /LivePerson/gi , /Lotame/gi , /LucidMedia/gi , /LyrisClicktracks/gi , /MAGNETIC/gi , /MSNAds/gi , /MarinSoftware/gi , /MarketGID/gi , /Marketo/gi , /MaxPointInteractive/gi , /Maxymizer/gi , /MediaInnovationGroup/gi , /Media6Degrees/gi , /MediaMath/gi , /MediaMind/gi , /MediaPlex/gi , /Meebo/gi , /Mercent/gi , /Meteor/gi , /MicrosoftAnalytics/gi , /MicrosoftAtlas/gi , /MindsetMedia/gi , /Mint/gi , /Mixpanel/gi , /Monetate/gi , /MyBlogLog/gi , /NDN/gi , /Navegg/gi , /NetMining/gi , /NetShelter/gi , /NetratingsSiteCensus/gi , /NewRelic/gi , /NewsRight/gi , /NextAction/gi , /Nuggad/gi , /Omniture/gi , /OpenAds/gi , /OpenX/gi , /Optimizely/gi , /Optimost/gi , /OutBrain/gi , /OwnerIQ/gi , /PO.ST/gi , /Parse.ly/gi , /Piwik/gi , /PointRoll/gi , /PostRank/gi , /Pubmatic/gi , /Qualaroo/gi , /Quantcast/gi , /QuigoAdsonar/gi , /RadiumOne/gi , /RapLeaf/gi , /RealMedia/gi , /Reinvigorate/gi , /Relestar/gi , /RevenueScience/gi , /RevenueMantra/gi , /RightMedia/gi , /RocketFuel/gi , /Rubicon/gi , /RubiconProject/gi , /SafeCount/gi , /Salesforce/gi , /ShareThis/gi , /SiteMeter/gi , /SiteScout/gi , /SkimLinks/gi , /Smart Adserver/gi , /Snaps/gi , /Snoobi/gi , /Specific Meida/gi , /SpecificClick/gi , /Sphere/gi , /StatCounter/gi , /TARGUSinfoAdAdvisor/gi , /Taboola/gi , /Tacoda/gi , /TeaLeaf/gi , /Tealium/gi , /Technorati/gi , /TechnoratiMedia/gi , /Tellapart/gi , /Teracent/gi , /TestandTarget/gi , /TidalTV/gi , /TorbitInsight/gi , /TradeDoubler/gi , /TravelAdvertising/gi , /TremorVideo/gi , /TribalFusion/gi , /Tumri/gi , /Turn/gi , /TweetMeme/gi , /TwitterBadge/gi , /TyntTracer/gi , /Typekit/gi , /UnderdogMedia/gi , /UndertoneNetworks/gi , /Unica/gi , /ValueClick/gi , /ValuedOpinions/gi , /VibrantAds/gi , /VigLink/gi , /VisualSciences/gi , /VisualWebsiteOptimizer/gi , /VisualRevenue/gi , /ViziSense/gi , /Vizu/gi , /Vizury/gi ,/WebAds/gi , /Webtrends/gi , /Whos.amung.us/gi , /Wibiya/gi , /Woopra/gi , /WordpressStats/gi , /WorldNow/gi , /XGraph/gi , /Yadro/gi , /YahooBuzz/gi , /YahooWebAnalytics/gi , /YuMeNetworks/gi , /Zango/gi , /Zedo/gi , /Zemanta/gi , /e-planning/gi , /eXTReMe Tracking/gi , /eXelate/gi , /etracker/gi , /iPerception/gi, /bs.serving-sys.com/gi, /hitwebcounter/gi, /freecounterstat/gi, /yieldmanager/gi, /adnxs/gi, /scorecard/gi);
/*plugin score */
var plugcnt = 0;
/*variables for sending log details to panel widget
* (meta, iframe, unauth red,encoded js, ext domains respectively)
*/
var warns="",warns1="",warns2="",warns3="",Domainreport="";
/* patterns */
var patt=/www/gi, patt1=/http/gi;
var TLDS = new Array(/com/gi, /net/gi, /in/gi);
/*variables for scrptTag function*/
var scrpa="";
/*variables for imgTag function*/
var socpa="";
/*variables for iframeTag function*/
var alert2="", count=0;
/*variables for scriptTag function*/
var alert2sc="", countsc=0;
/*variables for encodeJS function*/
var alert3="",encode1="";
/*variables for UATag function*/
var alert2UA="", countUA=0;
/*other tags like object, meta, anchor and link*/
var plugs="",vulplug="",redirect1="",red1="",redirect2="",red2="";
/*Retreiving domain name from the URL*/
var hostt, host;
hostt = window.location.host;
host = hostt.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
// It holds the tags to be monitored in the incoming web page
var monitorTags = new Array("script","img","area","link","frame","form","embed","applet","meta","object","iframe");
//variables to corresponding tags
var tagsArray = new Array("scrtag", "imgsrc", "are","lin","fra","frm","emb","app","met","obje","ifr");
//attributes of corresponding tags
var attrArray = new Array("src", "src","href","href","src","action","src","codebase","content","classid","src");
for(var i = 0; i<monitorTags.length; i++)
{
if((document.getElementsByTagName(monitorTags[i])).length > 0)
{
switch(i)
{
case 0:scrptTag();
break;
case 1:imgTag();
break;
case 2:
case 3:
case 4:
case 5:
case 6:
case 7:
case 8:
case 9:findhref();
break;
case 10:iframeTag();
break;
default: warns +="no tags"+ "<br>";
}
}
}
/*individual functions of switch */
/* This function monitors the iframe tags in the incoming web page */
function iframeTag()
{
var k,ifrm,widt,hgt,styl,src;
ifrm = document.getElementsByTagName("iframe");
/* Monitoring and checking width, height and style properties of every iframe*/
for(k=0;k<ifrm.length;k++)
{
widt=ifrm[k].getAttribute("width");
hgt=ifrm[k].getAttribute("height");
styl=ifrm[k].getAttribute("style");
src =ifrm[k].getAttribute("src");
if(src===null || src === "/blank.html" || src === "about:blank"){
continue;
}
/*if the height or width of iframe is very small, i.e, lessthan 3 */
if(hgt < 3 && hgt !== null) {
domainmatch(src,ifrm,k);
}
if(widt < 3 && widt !== null){
domainmatch(src,ifrm,k);
}
/* if style property contains height, width or some content and if "src" present */
if(styl){
var str, d=0;
if(styl.match(/;/)) {
var arr_str = styl.split(";");
while(d < arr_str.length){
str = arr_str[d].split(":");
if(str[0] === "height" || str[0] === "width"){
var ext = str[1].substring(0, str[1].length-2);
if(ext < 3){
domainmatch(src,ifrm,k);
}
}
else if(str[0] === "left" || str[0] === "right" || str[0] === "top" || str[0] === "bottom"){
var ext1 = str[1].substring(0, str[1].length-2);
if(ext1 < -99){
domainmatch(src,ifrm,k);
}
}
else if(str[0] === "visibility" || str[0] === "display"){
if(str[1].match(/hidden/gi) || str[1].match(/none/gi)){
domainmatch(src,ifrm,k);
}
}
d++;
}
}
else if(styl.match(/:/))
{
str = styl.split(":");
if(str[0] === "visibility" || str[0] === "display"){
if(str[1].match(/hidden/gi) || str[1].match(/none/gi)){
domainmatch(src,ifrm,k);
}
}
}
}
/* write code to find domain in src if it iframe not hidden */
if(src)
{
extdomain(src);
}
}
}
/*
* Cross verify the source of the hidden iframe property with the host name
* of the original URL and if it does not belongs to the same origin then
* alerts the user
* */
function domainmatch(src,ifrm,k)
{
var flag=0,src1;
src1=src.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
if(alert2.match(src1) === null){
for(var m=0;m<whitelist.length;m++)
{
if(src1.match(whitelist[m]) !== null){
var n=whitelist[m].toString().length;
var temp=whitelist[m].toString().substring(1,n-3);
if(redirect1.match(temp) === null){
redirect1+=whitelist[m].toString().substring(1,n-3)+"<br>";
}
flag=1;
return;
}
}
if(flag===0 && !alert2){
alert2 += "\n"+src1; count++;
warns1 += "<b>HTML:Hidden Iframe</b>"+"<br>"+"<b>URL(s)::</b><br>==>" +src+"<br>";
//ifrm[k].setAttribute("src",null);
}
else if(flag===0 && alert2 && warns1.match(src1) === null){
alert2 += "\n"+src1;count++;
warns1 += "<br>==>"+src+"<br>";
//ifrm[k].setAttribute("src",null);
}
}
}
/*
* Monitoring UnAuthorized redirections through image tag
* @returns {undefined}
*/
function imgTag()
{
var i, k, wid, hig, len, soc, soc1, flag = -1;
/*
* Image formats to be monitored
* @type Array
*/
var format = new Array(/png/gi, /jpg/gi, /gif/gi, /bmp/gi, /jpeg/gi, /Icons/gi, /ico/gi, /amp/gi);
var imgsrc = document.getElementsByTagName("img");
len = imgsrc.length;
for(i=0;i<len;i=i+1)
{
var flag1=0;
soc = imgsrc[i].getAttribute("src");
wid = imgsrc[i].getAttribute("width");
hig = imgsrc[i].getAttribute("height");
if(soc === null ){
continue;
}
socpa=getFileName(soc);
soc1=soc.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
var parts = soc1.split('.');
var socc = parts.slice(-1).join('.');
// whitelist TLDS for reduce false positive
/*for(var m=0;m<TLDS.length;m++)
{
if(socc.match(TLDS[m]) !== null){
flag1=1;
}
}*/
//if it is tracker, stop here
for(var m=0;m<whitelist.length;m++)
{
if(soc1.match(whitelist[m]) !== null){
var n=whitelist[m].toString().length;
redirect1+=whitelist[m].toString().substring(1,n-3)+"<br>";
flag=1;
return;
}
}
// if it is same origin or tracker stop here
if(host.match(soc1) !== null || soc.match(host) !== null || flag1 === 1){
continue;
}
for(k=0; k<format.length; ++k)
{
//searching for image extensions, i.e. .jpg.........
if(soc.match(format[k]) !== null) {
if(socpa) {
if(socpa.match(".php\\.")!==null ){
domainmatchUA(soc1);
}
}
flag = 1;
break;
}
}if(flag !== 1) {
if(socpa){
if(socpa.match("\\.php")!==null ){
domainmatchUA(soc1);
}
}
}
// If the image is hidden, hidden activity will be displayed in the panel
if((wid < 1 && wid !== null)||(hig < 1 && hig !== null))
{
warns2 += "<br><b>Threat::Hidden Image::</b>"+"<br>==>"+soc+"<br>";
}
else {
extdomain(soc);
}
}
}
/*
* Monitoring Script tag for detecting UnAuthorized redirections and
* Encoded JavaScript
* @returns {undefined}
*/
function scrptTag()
{
var len, scr,scr1,scrr, patt2=/.js/g;
var scrpt = document.getElementsByTagName("script");
var totalScript = "";
var enablewordsize=0,enableinddigiden=0;
len = scrpt.length;
for(var i=0;i<len;i++)
{
//encoded js detection
var scriptstring = scrpt[i].innerHTML;
scriptstring = scriptstring.replace(/(\r\n|\n|\r)/gm,""); //convert the innerHTML to one line, easier to match
//scriptstring=scriptstring.replace(/(\/\*([\s\S]*?)\*\/)|(\/\/(.*)$)/gm, ''); //to remove commented javascript // or /* */
scriptstring = scriptstring.replace(/<!--[\s\S]+?-->/g,""); //to remove commented javascript <!-- //-->
scriptstring = scriptstring.replace(/<![CDATA[\s\S]+?]]>/g,""); // //to remove commented javascript <![CDATA //]]>
if(scriptstring.length>250){
/*
* dividing the script string into lines, words and
* then calculating word size
*/
var words;
var lines = scriptstring.split(";");
for(var m = 0; (lines !== null) && (m<lines.length); m++) {
words = lines[m].split(" ");
for(var k = 0; (words !== null) && (k<words.length); k++) {
if(words[k].length > 6500){
enablewordsize++;
}
}
}
// pecentage of digits in each script
var indScriptLength = scriptstring.length;
var indNumLength = scriptstring.replace(/\D/g, '').length;
var inddigitdensity=((indNumLength*100)/indScriptLength);
if(((indNumLength*100)/indScriptLength) >= 30){
enableinddigiden++;
}
/* n-gram for individual script*/
var specialChars = new Array (/%/g,/$/g,/</g,/>/g,/@/g,/!/g,/#/g,/^/g,/&/g,/\*/g,/\(/g,/\)/g,/_/g,/\+/g,/\[/g,/\]/g,/\{/g,/\}/g,/\?/g,/:/g,/;/g,/'/g,/"/g,/,/g,/\./g,/\//g,/~/g,/\`/g,/-/g,/=/g,/\\/g, /u/g, /x/g);
var totalnumbersc=0, encodenumbers=0, encodedanddigitnumbers=0;
for(var n = 0; n < specialChars.length;n++){
if(scriptstring.match(specialChars[n])){
totalnumbersc +=scriptstring.match(specialChars[n]).length;
if(n==0 || n==3 || n== 4 || n == 5 || n == 7 || n==8 || n==10 || n==12 || n==18 || n==19 || n ==22 || n==23 || n==28 || n ==31 || n==32)
{
encodenumbers +=scriptstring.match(specialChars[n]).length;
}
}
}
encodedanddigitnumbers=(indNumLength) + (encodenumbers);
var indspdensity=(encodedanddigitnumbers*100)/scriptstring.length;
var scriptstringN = scriptstring.replace(/[^a-zA-Z]/g,'');
var scriptstringNN = scriptstring.replace(/\</g,"&lt;"); //for <
var scriptstringNNN = scriptstringNN.replace(/\>/g,"&gt;"); //for >
scriptstring = scriptstring.replace(/ /g,"");
/*
* Searching for the functions unescape and fromCharCode in the script string
*/
if((scriptstringN.match(/unescape/g) || scriptstringN.match(/fromCharCode/g) || (scriptstringN.indexOf(/fro/g) < scriptstringN.indexOf(/mCharCode/g) )|| (scriptstringN.indexOf(/fromChar/g) < scriptstringN.indexOf(/Code/g) ) || (scriptstringN.indexOf(/fr/g) < scriptstringN.indexOf(/omCh/g) < scriptstringN.indexOf(/arCode/g) ) || (scriptstringN.indexOf(/fro/g) < scriptstringN.indexOf(/mc/g) < scriptstringN.indexOf(/harCode/g)) || (scriptstringN.indexOf(/fr/g) < scriptstringN.indexOf(/omCh/g) < scriptstringN.indexOf(/arCo/g)< scriptstringN.indexOf(/de/g)) || (scriptstringN.indexOf(/fr/g) < scriptstringN.indexOf(/omC/g) < scriptstringN.indexOf(/ha/g)< scriptstringN.indexOf(/rCode/g))) && !alert3 && indspdensity > 58){
alert3 += "Threat:: Encoded JavaScript Malware";
warns3 += "<b>Threat:: Encoded JavaScript Malware</b>"+"<br>"+"<b>Malicious content is::</b><br>" +scriptstringNNN+"<br>";
}/*
* Searching for suspicious string pattenrs inside unescape function
*/
else if((scriptstringN.match(/unescape/g) && scriptstringN.match(/newArray/g) && scriptstring.match(/%u9090/g)) && !alert3 && indspdensity > 25){
alert3 += "Threat:: Encoded JavaScript Malware";
warns3 += "<b>Threat:: Encoded JavaScript Malware</b>"+"<br>"+"<b>Malicious content is::</b><br>" +scriptstringNNN+"<br>";
}/*
* Searching for hex code starting with var.
* This will be displayed in panel report
*/
else if(scriptstringN.match(/var/g)&& !encode1 && !warns3 && indspdensity > 57){
encode1 += "<b>Threat:: Encoded JavaScript Malware</b>"+"<br>"+"<b>Malicious content is::</b><br> " +scriptstringNNN+"<br>";
}
}
totalScript += scriptstring+" ";
var flag1=0;
scr = scrpt[i].getAttribute("src");
if(scr === null ){
continue;
}
scr1=scr.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
var parts = scr1.split('.');
var scrr = parts.slice(-1).join('.');
if(scr.match(patt2) !== null || ( scr.match(patt) !== null || scr.match(patt1) !== null)){
extdomain(scr);
}
// whitelist TLDS for reduce false positive
/*for(var m=0;m<TLDS.length;m++)
{
if(scrr.match(TLDS[m]) !== null){
flag1=1;
}
}*/
if(host.match(scr1)!== null || scr.match(host) !== null )
{
continue;
}
scrpa=getFileName(scr);
if(scr.match(patt2) !== null){
if(scrpa){
if(scrpa.match("\\.js.php")!==null || scrpa.match("\\.php.js")!==null ){
domainmatchUA(scr1);
}
}
}
//checking for non js(php/asp) pattern
else {
if(scrpa){
if(scrpa.match("\\.php")!==null ){
domainmatchUA(scr1);
}
}
}
// find extdomains
if(scr.match(patt2) !== null || ( scr.match(patt) !== null || scr.match(patt1) !== null)){
extdomain(scr);
}
} //for loop ends
}
// Matches the UnAuth src property with the host name of the original URL and if it is not from same origin then alerts the user
function domainmatchUA(src)
{
var dots=src.match(/\./g);
if(src === null || !dots )
return;
if(alert2UA.match(src) === null){
if(!alert2UA){
alert2UA += "\n"+src; countUA++;
warns2 += "<b>HTML:Redirector::</b>"+"<br><b>URL(s)::</b><br>==>"+src+"<br>";
}
else if(alert2UA && warns2.match(src) === null){
alert2UA += "\n"+src;countUA++;
//warns2 += "Threat:: HTML:Redirector"+"<br>"+src+"<br>";
warns2 += "<br>==>"+src+"<br>";
}
}
}
/*function is_valid_url(url)
{
return url.match(/^(ht|f)tps?:\/\/[a-z0-9-\.]+\.[a-z]{2,4}\/?([^\s<>\#%"\,\{\}\\|\\\^\[\]`]+)?$/);
}*/
function findhref()
{
var conten;
var pattmeta1=/refresh/gi, pattmeta2=/index.php?spl=/g;
tagsArray[i] =document.getElementsByTagName(monitorTags[i]);
var alink=tagsArray[i];
for(var k=0;k<alink.length;k++)
{
var hr=alink[k].getAttribute(attrArray[i]);
if(hr){ //error checking
// display meta content
if(i=== 8)
{
// code to stop meta redirection == bad idea in some cases
/*
var i, refAttr;
var metaTags = document.getElementsByTagName('meta');
for i in metaTags {
if( (refAttr = metaTags[i].getAttribute("http-equiv")) && (refAttr == 'refresh') ) {
metaTags[i].parentNode.removeChild(metaTags[i]);
}
}
// report +="meta contains: "+hr+"\n";
*/
var str;
var refres=alink[k].getAttribute("http-equiv");
// if meta contains refersh attribute
if(refres && refres.match(pattmeta1)!==null){
//comparing content with known malicious patterns of meta content
conten=alink[k].getAttribute("content");
if(conten){
if(conten.match(pattmeta2)!==null){
warns +="meta redirected to known malicious contents<br>";
}
else{
// only url part
str = conten.split(";");
if(str[1] !== undefined && str[1].match(/url/gi) !== null){
var src=str[1].replace('url=','');
extdomain(src);
warns+="in meta tag after "+str[0]+" seconds,it will redirect to "+src+"<br>";
redirect2+="meta tag redirection to: "+src+"<br>";
}
}
}
}
continue;
}
/*
* Searching for the plugins inside the webpage and
* detecting vulnerable plugins through object ID
*/
if(i===9)
{
plugcnt++;
/* for(var m=0;m<clsidlist.length;m++)
{
if(hr.match(clsidlist[m])!==null){
warns+="vulnerable plugin<br>";
vulplug+="Threat:vulnerable plugin invoked<br><br>";
}
}
*/
}
/*
* Collecting all the external domains from various tags
*/
if(hr.match(patt) !== null || hr.match(patt1) !== null)
{
extdomain(hr);
}
}// if hr
}//for
}
/*
* This function gathers all the cross domain URLs coming through various
* vulnerable tags and filtering duplicate URLs and Same domain URLs
* @param {type} src : URL is the argument
* @returns {undefined}
*/
function extdomain(src)
{
try{
var src1;
src1=src.replace('http://','').replace('https://','').replace('www.','').split(/[/?#]/)[0];
var dots=src1.match(/\./g);
if((host.match(src1) === null && src1.match(host) === null) && Domainreport.match(src1)===null && dots){
alert2sc += "\n"+src1; countsc++;
Domainreport +="==>"+src1+"<br>";
//isTracker(src1);
for(var m=0;m<whitelist.length;m++)
{
if(src1.match(whitelist[m]) !== null){
var n=whitelist[m].toString().length;
var temp=whitelist[m].toString().substring(1,n-3);
if(redirect1.match(temp) === null){
redirect1+=whitelist[m].toString().substring(1,n-3)+"<br>";
}
}
}
}
}
catch(e){
}
}
/*
* Retreiving the resource name from the URL
* @param {type} path : URL including Resource name
* @returns {unresolved} : Returns Resource Name
*/
function getFileName(path)
{
if(path.match(/^((http[s]?|ftp):\/)?\/?([^:\/\s]+)(:([^\/]*))?((\/[\w/-]+)*\/)([\w\-\.]+[^#?\s]+)(\?([^#]*))?(#(.*))?$/i))
{
return path.match(/^((http[s]?|ftp):\/)?\/?([^:\/\s]+)(:([^\/]*))?((\/[\w/-]+)*\/)([\w\-\.]+[^#?\s]+)(\?([^#]*))?(#(.*))?$/i)[8];
}
}
/*
* Filling the default values for Reporting in Panel
*/
if(plugcnt){
plugs +=plugcnt+" plugins loaded in this webpage<br>";
if(vulplug){
plugs +=vulplug+"<br>";
}
}
/*
* Displaying trackers and Static Redirections in Report
*/
if(redirect1){
red1="Tracker(s) found:<br>"+redirect1;
}
if(redirect2){
red2="Static html redirections:<br>"+redirect2;
}
// code for adding dynamic iframes + static iframes
var ifrd1= "",ifrd2="";
ifrd1=sessionStorage.getItem("alertif1");
//ifrd1=JSON.parse(ifrd1);
ifrd2=sessionStorage.getItem("alertif2");
//ifrd2=JSON.parse(ifrd2);
if(ifrd1){
alertts=ifrd1;
}
if(ifrd2){
alertts=ifrd2;
}
if(ifrd1 && ifrd2){
alertts=ifrd1 + ifrd2;
}
//console.log("rcvd dynifr through session storage:",alertts);
var lines = alertts.split("\n");
var newlines=(lines.length)-1;
var count_if=0, alert_if;
if(alertts != alert2){
count_if = newlines + count;
alert_if = alertts + alert2;
}
else{
count_if = count;
alert_if = alert2;
}
var scd1= "",scdd1="",scd2="",scdd2="",ress="";
scd1=sessionStorage.getItem("alertsc1");
scdd1=JSON.parse(scd1);
scd2=sessionStorage.getItem("alertsc2");
scdd2=JSON.parse(scd2);
if(scdd1){
ress=scdd1;
}
if(scdd2){
ress=scdd2;
}
if(scdd1 && scdd2){
ress=scdd1+scdd2;
}
// code for adding dynamic scripts + static scripts
var lines1 = ress.split("\n");
var newlines1=(lines1.length)-1;
var count_sc=0, alert_sc="";
if(alert2UA != ress){
count_sc=newlines1+countUA;
alert_sc=ress+alert2UA;
}
else{
count_sc = countUA;
alert_sc = alert2UA;
}
var s2="", s1="";
var HostProto=proto+"//"+host;
//framework.extension.fireEvent('HI', { data: {someData:HostProto, highlitedText:'CNN'}}); //hostname
var urlPort = browser.runtime.connect({name:"urlport-from-cs"});
var popupPort = browser.runtime.connect({name:"popupport-from-cs"});
urlPort.postMessage({"url": HostProto,"fullurl":fullurl});
//bl status rcvd
var flag=0, blstatus="", Head="CDAC's Browser JSGuard Warning";
var blstatus_if="";
var blstatus_sc="";
//again common
var gsbreq=count_if+alert_if;
if(count_if){
s2='Threat:: Hidden Iframe<br>Evil URL(s) are :::'+alert_if+"<br>";
}
var gsbreq1=count_sc+alert_sc;
if(count_sc){
s1='Threat:: UnAuthorized Redirection<br>Evil URL(s) are :::'+alert_sc+"<br>";
}
var frameEl = window.frameElement;
var ps = localStorage.getItem(0);
console.log("");
if(ps == null || ps.match(HostProto) == null){ //iniatiall null and host diffrenet so block
if(alert_if || alert3 || alert_sc)
{
if(alert_if && frameEl === null){
//gsbreq="1\nhttp://malware.testing.google.test/testing/malware/";
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://sb-ssl.google.com/safebrowsing/api/lookup?client=firefox&apikey=ABQIAAAAxhNVFd2Bkr2PLooc8AycwBRHPfqIBBZIjrF8eFFZCSSGcCk3eg&appver=1.5.2&pver=3.0', true);
//Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {//Call a function when the state changes.
if (xhr.readyState === 4) {
if (xhr.status === 200) {
//console.log("IN CONTENT SCRIPT: response from GSB:"+xhr.responseText);
blstatus_if=xhr.responseText;
//console.log("if blstatus rcvd"+blstatus_if);
if(blstatus_if.match("malware") || blstatus_if.match("phising") || blstatus_if.match("phishing,malware")){
flag=1;
//console.log("and here is an iframealert");
document.body.innerHTML = "";//$('head link').remove();
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+s2+"<br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
if(r== false){
//console.log("false");
var d1 = new Date ();
var oneday = new Date(d1);
//console.log("1: "+oneday);
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
oneday.setDate(d1.getDate() + 1); //one day from now
//console.log("2: "+oneday);
localStorage.setItem(0, HostProto);
localStorage.setItem(1, oneday);
location.reload();
}
});
}
} else {
console.log('error: '+xhr.statusText);
}
}
};
xhr.send(gsbreq);
/* console.log("if blstatus rcvd"+blstatus_if);
if(blstatus_if.match("malware") || blstatus_if.match("phising") || blstatus_if.match("phishing,malware")){
flag=1;
console.log("and here is an iframealert");
document.body.innerHTML = "";//$('head link').remove();
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+s2+"<br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
if(r== false){
//console.log("false");
var d1 = new Date ();
var oneday = new Date(d1);
//console.log("1: "+oneday);
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
oneday.setDate(d1.getDate() + 1); //one day from now
//console.log("2: "+oneday);
localStorage.setItem(0, HostProto);
localStorage.setItem(1, oneday);
location.reload();
}
});
}*/
}
if (alert3 && flag == 0){
flag = 1;
document.body.innerHTML = "";//$('head link').remove();flag=1;
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+alert3+"<br><br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
if(r== false){
//console.log("false");
var d1 = new Date ();
var oneday = new Date(d1);
//console.log("1: "+oneday);
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
oneday.setDate(d1.getDate() + 1); //one day from now
//console.log("2: "+oneday);
localStorage.setItem(0, HostProto);
localStorage.setItem(1, oneday);
location.reload();
}
});
}
if(alert_sc && flag == 0){
//gsbreq1="1\nhttp://malware.testing.google.test/testing/malware/";
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://sb-ssl.google.com/safebrowsing/api/lookup?client=firefox&apikey=ABQIAAAAxhNVFd2Bkr2PLooc8AycwBRHPfqIBBZIjrF8eFFZCSSGcCk3eg&appver=1.5.2&pver=3.0', true);
//Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {//Call a function when the state changes.
if (xhr.readyState === 4) {
if (xhr.status === 200) {
//console.log("IN CONTENT SCRIPT: response from GSB:"+xhr.responseText);
blstatus_sc=xhr.responseText;
//console.log("if blstatus rcvd"+blstatus_sc);
if(blstatus_sc.match("malware") || blstatus_sc.match("phising") || blstatus_sc.match("phishing,malware")){
flag=1;
//console.log("and here is an scriptalert");
document.body.innerHTML = "";//$('head link').remove();
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+s2+"<br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
if(r== false){
//console.log("false");
var d1 = new Date ();
var oneday = new Date(d1);
//console.log("1: "+oneday);
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
oneday.setDate(d1.getDate() + 1); //one day from now
//console.log("2: "+oneday);
localStorage.setItem(0, HostProto);
localStorage.setItem(1, oneday);
location.reload();
}
});
}
} else {
//console.log('genuine: '+xhr.statusText);
}
}
};
xhr.send(gsbreq1);
/*console.log("if blstatus rcvd"+blstatus_sc);
if(blstatus_sc.match("malware") || blstatus_sc.match("phising") || blstatus_sc.match("phishing,malware")){
flag=1;
console.log("and here is an script alert");
document.body.innerHTML = "";//$('head link').remove();
var r=jConfirm("<b>In the requested webpage at URL</b><br><br>"+hostt+"<br><br><b>Threat has been found:</b><br><br>"+s1+"<br>To get more information click on widget shown in toolbar<br><br>", Head ,function(r) {
if(r== false){
//console.log("false");
var d1 = new Date ();
var oneday = new Date(d1);
//console.log("1: "+oneday);
//oneday.setHours(d1.getHours(),d1.getMinutes() + 2); //one day from now
oneday.setDate(d1.getDate() + 1); //one day from now
//console.log("2: "+oneday);
localStorage.setItem(0, HostProto);
localStorage.setItem(1, oneday);
location.reload();
}
});
}*/
}
}
}
else{
var values = localStorage.getItem(1);
values = new Date(values);
var d = new Date();
var m=values-d; //not working "values" and "n" vars are damaged
//console.log("future: "+values+" len: "+values.length);
//console.log("current: "+d+" len: "+d.length);
//console.log("diff: "+m);
if (m<0) {
localStorage.removeItem(0);localStorage.removeItem(1);localStorage.removeItem(2);
}
}
var x=[];
x.push(HostProto); //hostonly
x.push(s2); // hidden iframe
x.push(s1); // unauth red
x.push(warns3); //encode status
x.push(red2); //meta
x.push(Domainreport); //ext domain
x.push(red1); //trackers
popupPort.postMessage({"popupinfo": JSON.stringify(x)});
});
Reference in New Issue View Git Blame Copy Permalink