[Esd-l] Mangle of embedded URLs
Jim Bucks
jbucks at coloradostudios.com
Fri Jan 7 13:41:19 PST 2005
Here's what I've done. I know it's simplistic, but it's somewhat
effective...
:0 B
##########################################################################################
# jbucks March 16, 2004
# This is where I've replaced the HTML tag's opening "<" with a "z"
to allow it to be
# visible to the users (in a very ugly way) while removing the
functionality of the HTML
# code.
##########################################################################################
* ! SECURITY_TRUST_HTML ?? [^ ]
* 9876543210^1
\<(html|title|body|meta|app|script|object|embed|i?frame|style|img|bgsound|i?layer|link|form|input|table|th|td|xml)
* 9876543210^1 =(3d)?[ ]*["'](&{|([a-z]+script|mocha):)
{
LOG="Defanging active HTML content$SUBJ"
HAVE_UUE=
:0 B
* ^begin[ ]+([0-9]+)?[ ]+[^ ]+
{
HAVE_UUE=YES
LOG=" UUE content, HTML defang suppression enabled.$NL"
}
:0 fw b
| perl -p -e ' #\
unless ($ENV{"HAVE_UUE"} && /^M.{60}$/ ) { #\
if (/ / && /["\047][^"\047\s]*&#x?[1-9][0-9a-f]/i) {
#\
while
(/["\047][^"\047\s]*&#((4[6-9]|5[0-8]|6[4-9]|[78][0-9]|9[07-9]|1[0-1][0-9]|12[0-2])(?![0-9]))/)
{ #\
$char = chr($1); #\
s/&#$1;?/$char/g; #\
} #\
while
(/["\047][^"\047\s]*&#(x(2[ef]|3[0-9a]|4[0-9a-f]|5[0-9a]|6[1-9a-f]|7[0-9a]))/i)
{ #\
$char = chr(hex("0$1")); #\
s/&#$1;?/$char/gi; #\
} #\
} #\
if (/ / && /["\047][^"\047\s]*%[2-7][0-9a-f]/i) {
#\
while
(/["\047][^"\047\s]*%((2[ef]|3[0-9a]|4[0-9a-f]|5[0-9a]|6[1-9a-f]|7[0-9a]))/i)
{ #\
$char = chr(hex("0x$1")); #\
s/%$1/$char/gi; #\
} #\
} #\
if (/<|%3c/) { #\
s/(<|%3c)(META|APP|SCRIPT|OBJECT|EMBED|FRAME|IFRAME|LAYER|ILAYER|LINK|FORM|INPUT|XML)/$1DEFANGED_$2/gi;
#\
unless ($ENV{"SECURITY_TRUST_STYLE_TAGS"}) {
#\
s/<STYLE/ <!-- zDEFANGED_STYLE/gi;
#\
s/<\/STYLE/ --> z\/DEFANGED_STYLE/gi;
#\
s/\sSTYLE\s*=/ zDEFANGED_STYLE=/gi;
#\
} #\
if ($ENV{"DEFANG_WEBBUGS"}) { #\
s/<IMG/zDEFANGED_IMG/gi; #\
s/<BGSOUND/zDEFANGED_BGSOUND/gi;
#\
if (/<(BODY|TABLE|TH|TD)\s/i) { #\
s/\sBACKGROUND\s*=\s*/
zDEFANGED_BACKGROUND=/gi; #\
} #\
} #\
s/\sOn(Abort|Blur|Change|Click|DblClick|DragDrop|Error|Focus|KeyDown|KeyPress|KeyUp|Load|MouseDown|MouseMove|MouseOut|MouseOver|MouseUp|Move|Reset|Resize|
Select|Submit|Unload|ContextMenu|DragStart)/ zDEFANGED_On$1/gi; #\
} #\
s/^\s*On(Abort|Blur|Change|Click|DblClick|DragDrop|Error|Focus|KeyDown|KeyPress|KeyUp|Load|MouseDown|MouseMove|MouseOut|MouseOver|MouseUp|Move|Reset|Resize|Select
|Submit|Unload|ContextMenu|DragStart)/zDEFANGED_On$1/gi; #\
s/(["\047\075]|url\()([a-z]+script|mocha):/z${1}DEFANGED_$2:/gi;
#\
s/(["\047\075])&{/z${1}DEFANGED_&_{/g; #\
} #\
'
}
"John D. Hardin" wrote:
>
> On Fri, 7 Jan 2005, Smart,Dan wrote:
>
> > Thanks for the suggestion Chris.
> >
> > Haven't had a chance to dig in yet, but on first thought, wouldn't this
> > break any embedded images in a newsletter? My goal is to stop obfuscated
> > URLs that entice a user to click.
>
> I take it you're not defanging web bugs?
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> What nuts do with guns is terrible, certainly. But what evil or crazy
> people do with *anything* is not a valid argument for banning that item.
> -- John C. Randolph <jcr at idiom.com>
> -----------------------------------------------------------------------
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
--
Jim Bucks - IT/IS Support www.coloradostudios.com
2400 N. Ulster St. Denver, CO 80238 Main 303-388-8500
jbucks at coloradostudios.com DiD 303-542-5520
More information about the esd-l
mailing list