Printable View
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
[url]http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba[/url]
That breaks my own subsite extraction code. :(
The pedantic part of my brain wants to rewrite my code to
auto-adjust for relative paths, so I can continue testing the
subsite against Uribl's great subsite list.
The expedient part of my brain is thinking that either a ".." or a
"/./" in a URL are most shiny signs of spam (or major mailing list
stupidity), so I'm going to start with those as simple rules.
Other than borked mailing lists, can anyone recall seeing either of
those patterns in a legitimate emailed URL?
Stay dry,
- "Chip"
At 08:06 16-06-2008, Chip M. wrote:[color=blue]
>Just noticed a new (to me) Geocities obfuscation technique that uses
>embedded relative path(s):
>
>[url]http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba[/url]
>That breaks my own subsite extraction code. :([/color]
[snip]
[color=blue]
>Other than borked mailing lists, can anyone recall seeing either of
>those patterns in a legitimate emailed URL?[/color]
Yes, this one if it's a legitimate email. :-)
Given the way URLs are parsed, if the URL is preceded by "http://",
it's less likely to hit legitimate emails. Such paths are commonly
seen in messages about XSS. If the score is not too high, you can be
offset it with other rules.
Regards,
-sm
On Mon, 16 Jun 2008, mouss wrote:
[color=blue]
> Chip M. wrote:[color=green]
>> Just noticed a new (to me) Geocities obfuscation technique that uses
>> embedded relative path(s):
>> [url]http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba[/url]
>> That breaks my own subsite extraction code. :([/color]
>
> "/." is a unix construct, so except for filenames like ".foo", I see no
> use for that over the web (the web is not unix). so
> \/\.\W
> doesn't look to be needed for legitimate URLs. same goes for equivalent
> encodings.[/color]
I've seen multiple leading periods in phish messages. My local rule for
this is equivalent to \/\.{1,4}\W
[color=blue]
> and since such URLs are used to evade detection by proxies and access
> control implementations, I'd say get this out (old tomcat and
> tomcat+apache used to have a vulnerability that allowed access to tomcat
> admin using such URLs).[/color]
They're also used to hide fraudulent website content from the
administrators of compromised hosts. Ideally their presence should
generate an alert to the abuse address of the host that appears in the
URL. Implementation of this is left as an exercise for the student.
--
John Hardin KA7OHZ [url]http://www.impsec.org/~jhardin/[/url]
[email]jhardin@impsec.org[/email] FALaholic #11174 pgpk -a [email]jhardin@impsec.org[/email]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
2 days until SWMBO's Birthday