Welcome to WebmasterWorld Guest from 54.166.158.73

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

Beware HTML in abUser Agent Strings

filter HTTP requests and logs like any other form of input data

     
12:59 am on Jul 15, 2012 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14663
votes: 99


Never saw anyone try this before and I've seen just about everything including javascript in user agents trying to redirect to malware sites.

188.190.124.66

<br><center><h1>Pilferer</h1></center><br><center><h2><a href="http://example.com/">[Toolly Robot 0.1]</a></h2></center>


FYI, I replaced the domain with example.com because this one is not safe to surf and I'm not promoting it here just in case someone isn't careful and got hammered by accident.

Beware as user agent strings, referrers and even the requested pages are a potential vulnerability, just like cross-site scripting, which could be used to attack to your MySQL queries and reports if not properly filtered.

Best case, as in the above example, the code just messes up the report and displays the user agent in a big font in the middle of the screen with a link to their site.

Worst case, it contains a javascript redirect and or attempts at MySQL attacks.

People tend to filter malicious input from being passed to their web pages but ignore the fact that this data can also logged in it's raw form and then processed later by server stats programs that don't always filter that data properly to protect webmasters from simplistic browser or SQL attacks. Once I noticed this stuff happening I stopped all server side log analysis programs as I can't be sure they are secure and won't let something through that puts my server or browser at risk.
2:19 am on July 15, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5459
votes: 3


Bill,
I had one of these a month or two ago and simply shrugged it off as an errant spammer. Failing to make a saved notation.
Not sure I'm willing to dig back through the logs attempting to locate it.
2:32 am on July 15, 2012 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14663
votes: 99


It's more than just that, some are spamming, some are attacking.

Not all of the sites are just spam links, some are malicious.

FWIW, I'm getting tons of this stuff lately on a couple of sites. All reports I wrote have now been verified to be HTML sanitized and I shut down any log analysis and reports that I didn't write for security.
2:50 am on July 15, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8654
votes: 385


My reports are hot, but I never follow any of the links. If I want to investigate, I either load the link into a browser manually with noscript & adblock, JS off and redirects off or I use a 3rd party web-based HTML parser tool.
5:44 am on July 15, 2012 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14663
votes: 99


Does that mean you have javascript disabled for your own site for those report pages?

If not, they can easily hijack your page with a javascript redirect which is quite annoying.

I found out ages ago that so many email submission pages, shopping carts, and all sorts of common stuff including back end admin tools are quite susceptible to simple javascript redirects so I wasn't exactly surprised when I saw people trying to take advantage of log files reports.
.
5:56 am on July 15, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8654
votes: 385




If not, they can easily hijack your page with a javascript redirect which is quite annoying.

Not possible on my server.

Also, I hand code input forms, don't use anything off the web or out of a box. I build in a few security measures.
2:07 pm on July 16, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:May 3, 2011
posts:75
votes: 0


My reports are hot, but I never follow any of the links. If I want to investigate, I either load the link into a browser manually with noscript & adblock, JS off and redirects off or I use a 3rd party web-based HTML parser tool.


You may want to include RequestPolicy also.

[requestpolicy.com...]
[requestpolicy.com...]
[addons.mozilla.org...]
6:41 pm on July 16, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8654
votes: 385


@MickeyRoush - yeah good security tool as well. I also use DoNotTrack Plus, opt out where possible... ad infinitum.
10:00 pm on July 16, 2012 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 10, 2004
posts: 414
votes: 16


Things like this are why I'm glad I do my reports using an extensive collection of shell scripts I've written over the years.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members