2. First a Disclaimer…
• It isn’t my fault if in your exploration you intentionally or inadvertly
do something BAD to your system.
• I will try to give enough info to suggest good search terms for
independent exploration if this interests you. I am not trying to create
any sort of definitive guide or suggesting this is a best or even good
way to accomplish a task.
• You wouldn’t use a circular saw without knowing how it works. Using
shell commands and executing JavaScript from the address bar of
your browser is a lot like playing with power tools. You probably will
not lose a thumb but there is a likelihood of pain nonetheless.
3. Spam
Everybody gets it, some is obvious, some a little
more sneaky and occasionally an email with actual
value ends up caught in the email client’s spam net.
The screen grab is from MS Outlook, which will
show you just the text... Not the html. NO CLICKING
LINKS!
My example has lots of signs it is garbage and
should be set to e-oblivion:
• Do you really think that is a google team addy?
• This is Not the format I give out for my email
(gmail allows mixed caps and dots, like
sT.eve.pOte so I can see who sells me out)
• Delayed email at some blog URL? C’mon. (This
is the URL I will use for an example)
• No opt out? Not even one with a malicious
addy behind it? They aren’t even trying…(an
opt out is required by US law and legit
businesses using mass mailings will always have
a means to tell them to stop)
4. cURL, short version and a headstart
curl -L -v -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML,
like Gecko) Chrome/24.0.1312.52 Safari/537.17“ http://somewhere.com
The switches
-L follow redirect (if response sends you immediately elsewhere. There are
legitimate uses like url shorteners like goo.gl and bit.ly, but these are also good
places to hide bad things too.)
-v verbose (I always like verbose output…in this case there is more info about the
connects, disconnects and redirects)
-A user agent string to send (cURL pretends to be a browser by sending a browser’s
info. Example uses pretty common string info to make it an attractive target.)
5. Here we go…
• Verbose text followed by the html of what you would see in your
browser if you had clicked the link…
6. …after some gibberish
Most of what was returned was probably a “Markov string”, basically
random-esque text with grammatical rules to fool ISP’s and others (like
spam filters and web crawlers) into believing the target is legit. When
an email slips by your filter with total nonsense in the body it is
probably a Markov string and very hard to catch because each email
can be made with unique content and including highly relevant
individual words.
7. …the part we are really after
• JavaScript at the bottom…it is at the bottom so the rest of the page
will load before potential errors or things that might catch malicious
scripts
• Mileage may vary. This example creates a string from ASCII character
codes that have been shifted by -73 places. (I will break that down
better later). Base 64 encoding is another common technique I have
encountered often (there are legit business reasons to encode strings,
I will show you how to check them too).
8. Magic Happens Here…
• I find JavaScript to be pretty Human
Readable, but for this example I cheated
with Excel…
• I needed the ASCII numbers -73
• Then ran the String.fromCharCode in a browser address bar (don’t do
this at home, not everything is harmless)
• javascript:alert(String.fromCharCode(119,105,110,100,111,119,46,116,111,112,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,39,104,116,116,112,58,47,47,115,109
,97,114,116,112,105,108,108,115,118,97,108,117,101,46,114,117,39,59));
• If you can write JavaScipt you can
neuter the function like this…
rather than returning the malicious
command it alerts with its text.
9. Oh, good…another scary link
• Here is the output of our example
using the chrome browser’s address bar
• This JavaScript command redirects your
browser to the link inside.
• Anecdotally most of the time this is abusing google analytics by
creating false hits…opens a couple valid pages, closes and moves on.
• Every so often there is something nastier, tracking cookies (mild) or
some more virulent web-herpes.
• Drop this URL into cURL and repeat if you dare.
10. A last tidbit or…
d2luZG93LnRvcC5sb2NhdGlvbi5ocmVmPSdodHRwczovL3NvbWVldmlsYmFzdGFyZC5jb20n
…for short
• Base 64 encoding has honest upstanding uses
• JavaScript has built in functions to encode (window.btoa())and
decode (window.atob())
• I use them to send secret messages ;-)
• They can also hide malicious intent
11. Links for the curious
• cURL man page - http://curl.haxx.se/docs/manpage.html
• Opt out/Spam laws - https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business
• Markov strings - https://en.wikipedia.org/wiki/Markov_algorithm
• atob – https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/atob
• JavaScript from the address bar - http://www.wikihow.com/Have-Fun-With-Your-Address-Bar-on-Your-Browser
• Base 64 encoding - https://www.base64decode.org
• Me, especially if you are looking for a full stack ‘white hat’ - https://www.linkedin.com/in/steve-pote-61b02b103