Actually, there is no way for your hosting to ensure that you cannot close its advertisements (advs.)!
Because of the fact that all the advs. are based on JavaScript and html, everyone can close them just by looking at their code behavior.
These are some methods:
1. (Easy level) some hosts add the advs. after your html codes which can be closed easily by adding some tags such as:
<noscript> , <embed>, <object>, <!–, <script>, and …
at the end of your html page. For instance:
I tested it in GoDaddy free web hosting by adding <noscript> tag and it works successfully: [http://www.plaincipher.com/welcome.html] (6 Jan. 2009) see its source code for more details.
However, hosting can neutralize this way easily by adding some close tags before starting its advs. such as:
</noscript>, </embed>, </object>, –>, </script>, and …
2. (Medium level) some host’s advertisements can be closed by calling their close function in their JavaScript. For instance I tested this code:
<script>document.getElementById(‘divADV’).style.visible=’hidden’;window.setInterval(‘closeWindow()’,0);closeWindow();</script>
at PersianBlog.ir’s weblogs and it works successfully: see [error404.persianblog.ir] (6 Jan. 2009).
3. (Hard level) some host’s advs. are very complicated in code, but they can also be closed by some tricks in neutralizing their frames and their JavaScript functions! I will write about some tricks after finishing this part.
For instance I tested this code:
<script language=”JavaScript”>
var settelingTime = 100;
var check4closing = 4;
function testjavascript()
{
window.setTimeout(“testjavascript()”, settelingTime);
if(top.d.getElementById(“FR”) && check4closing!=0){
if(check4closing==1)
alert(‘Bye yahoo advertisement! my new homepage is: soroush.secproject.com\nI will write there after that.’);
eval(‘top.d.getElementById(“FR”).setAttribute(“cols”,”*,0,0″);’);
check4closing–;
settelingTime = 1000;
}
}
</script>
at GeoCities.com and it works successfully: see [http://geocities.com/irsdl/blog/](6 Jan. 2009).
Now these are some techniques which I use them in neutralizing the JavaScript’s codes:
1. Make a function with the same name of advertisement’s function to change its behavior and overwrite it!
2. Change value of JavaScript’s global variables if they are important for advs.
2. Using some Ajax methods to find and replace some html tags by my new parameters.
3. Using some recursive loops too neutralize the advs. function during the time.
4. Using some XSS methods to do some magic such as: true=false!
I think you can find your methods to close the advs. too ;)
BTW, do not forget my copyright rules. Thank you very much :)
In Iran each person has a national code which is called “Code Melli” or “کد ملی”. And, its algorithm is very similar to ISBN algorithm:
The rules are:
1- This number has 10 digits like: C[1] C[2] C[3] C[4] C[5] C[6] C[7] C[8] C[9] C[10]
2- 3 digits of left must not be equal to 000 (c[1]c[2]c[3]000)
3- C[10] is a control digit (like ISBN algorithm)
The formula to determine C[10] is:
Let A = (C[1]*10)+ (C[2]*9)+ (C[3]*8)+ (C[4]*7)+ (C[5]*6)+ (C[6]*5)+ (C[7]*4)+ (C[8]*3)+ (C[9]*2)
Let B = A MOD 11
If B == 0 Then C[10]=B Else C[10] = 11-B
This JavaScript function is useful to validation:
<script>
//————— Begin Iranian national code checker function —————
// Usage: IsIRNationalCode(‘Number’) Return -> True-False
// Copyright: Soroush Dalili – October 2008
//
/**
* IsIRNationalCode is a function to validate Iranian National ID
* @param theNum National ID number as an input
* @return true if the input number is a valid Iranian National ID, otherwise false
*/
function IsIRNationalCode(theNum)
{
if(theNum.length!=10)
{
return false;
}
else
{
if(theNum.substr(0,3)==’000′) return false;
var check = 0;
for(var i=0;i< theNum.length;i++)
{
var num = theNum.substr(i,1);
check += num*(10-i)
}
if(check%11)
{
return false;
}
else
{
return true;
}
}
}
// Copyright: Soroush Dalili – October 2008
//————— End Iranian national code checker function —————
</script>
Everything has an algorithm except something that we do not know about it!
I knew Credit Card Algorithm from 2000, and I found out it from a Pascal program which checks the credit cards.
I googled for this topic in 2008 and found a lot of articles about it! So, there isn’t any secret now!
My proofs are:
http://www.beachnet.com/~hstiles/cardtype.html
http://www.google.co.uk/search?hl=en&q=%22credit+card+algorithm%22
I know that no one can use the credit card generator nowadays because of the credit card online validation checking.
So, I explain it more:
If you have a credit card number like this (16 or 15):
ABCD-EFGH-IJKL-MNOP
Or in array:
C[1]C[2]C[3]C[4]-C[5]C[6]C[7]C[8]-C[9]C[10]C[11]C[12]-C[13]C[14]C[15]C[16]
Now the formula is:
(If there is a number more than 9, then subtract 9)
+
(Even array numbers value)
= Result
And, Result MOD 10 must be 0
For Example we want to know whether the below number is a valid credit card number or not:
CC= 4321-9871-2345-3328
The formula is:
(4*2) + 3 + (2*2) + 1 + (9*2-9) + 8 + (7*2-9) + 1 + (2*2) + 3 + (4*2) + 5 + (3*2) + 3 + (2*2) + 8
=
8 + 3 + 4 + 1 + 9 + 8 + 5 + 1 + 4 + 3 + 8 + 5 + 6 + 3 + 4 + 8 = 80
80 Mod 10 = 0
So this is a valid credit card number!
What about the 4444-3333-2222-1111? Check it, it is a valid credit card number!
I found two good JavaScript codes from:
http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_22031163.html
Which are:
By Zvonko:
<script>
function checkCardNum(theField){
var theNum = theField.value;
var check = 0;
for(var i=0;i<theNum.length;i++){
var num = theNum.substr(i,1);
num *= ((i+theNum.length)%2)?1:2;
check += (num>9)?num%10+1:num;
}
if(check%10){
alert(“Wrong CreditCard number.”);
theField.select();
theField.focus();
return false;
}
return true;
}
</script>
And another one
By Rama NUTI (rama_krishna580):
<script>
function isValidCreditCard(type, ccnum) {
if (type == “Visa”) {
// Visa: length 16, prefix 4, dashes optional.
var re = /^4\d{3}-?\d{4}-?\d{4}-?\d{4}$/;
} else if (type == “MC”) {
// Mastercard: length 16, prefix 51-55, dashes optional.
var re = /^5[1-5]\d{2}-?\d{4}-?\d{4}-?\d{4}$/;
} else if (type == “Disc”) {
// Discover: length 16, prefix 6011, dashes optional.
var re = /^6011-?\d{4}-?\d{4}-?\d{4}$/;
} else if (type == “AmEx”) {
// American Express: length 15, prefix 34 or 37.
var re = /^3[4,7]\d{13}$/;
} else if (type == “Diners”) {
// Diners: length 14, prefix 30, 36, or 38.
var re = /^3[0,6,8]\d{12}$/;
}
if (!re.test(ccnum)) return false;
// Remove all dashes for the checksum checks to eliminate negative numbers
ccnum = ccnum.split(“-”).join(“”);
// Checksum (“Mod 10″)
// Add even digits in even length strings or odd digits in odd length strings.
var checksum = 0;
for (var i=(2-(ccnum.length % 2)); i<=ccnum.length; i+=2) {
checksum += parseInt(ccnum.charAt(i-1));
}
// Analyze odd digits in even length strings or even digits in odd length strings.
for (var i=(ccnum.length % 2) + 1; i<ccnum.length; i+=2) {
var digit = parseInt(ccnum.charAt(i-1)) * 2;
if (digit < 10) { checksum += digit; } else { checksum += (digit-9); }
}
if ((checksum % 10) == 0) return true; else return false;
}
</script>
I don’t want to speak about the LFI (local file inclusion) or RFI (remote file inclusion) which we have a lot of articles about them.
I just want to tell you about some simple facts ;)
I have read a lot of source codes of web applications till now.
And, I think one of the most important logical vulnerabilities is incorrect using of “include” techniques.
I want to explain this by some examples:
———– Begin Example1 ———–
Example1. (ASP, PHP, JSP, ?)
Assume that we have:
1. Admin.asp ->(Secured) which includes Check.asp, Header.asp, Main.asp
2. Check.asp -> Check admin session
3. Header.asp -> is for showing the top menu
4. Main.asp -> is for showing the administrator’s main page
So, if I execute Index.asp, I will execute all 3 other files which I mentioned too.
Question: What will happen if I point to the Main.asp or Header.asp directly without using the Index.asp?
Answer: If Main.asp or Header.asp does not include Check.asp, attacker can see the admin page without having the administrator credential!
Result: I see a lot of web application which had this problem!
Now assume that Check.asp is something like this:
———– Begin Check.asp ———–
some lines of codes blah blah blah
<%
‘ Get an input from the user
1 Input_CurrentFolder = Request(“currentFolder”)
2 ‘ in order to get the root directory we must set an admin session
3 session(“admin”)=true
4 directory = GetDirectory(Input_CurrentFolder)
‘Terminate admin session for the security!
5 session(“admin”)=false
%>
some lines of codes blah blah blah
———– End Check.asp ———–
I want to speak about the session. What do you think about these codes? Is there any security problem?
Question1: How can a user keep session(“admin”)=true for him/herself?
Answer1: In order to do that, user needs to stop execution on line 4!
Question2: Now, how can a user stop execution on line 4?
Answer2: User must stop running the program on line 4. So, he/she must create an error on that line! So, actually it depends on some factors. And, I want to show you 2 of them which the first one is related to subject of this article.
1- First situation: Check.asp does not contain “GetDirectory” function and this function is in Header.asp. Now if attacker point directly to the Check.asp, he/she can get the admin session! Because the program will be crashed on line 4!
2- Another situation: the “GetDirectory” function must not work with each “Input_CurrentFolder”. In other words, “GetDirectory” function must crash because of some value of “Input_CurrentFolder”.
Note: we must not have something like “On error resume next” which force the program to continue.
Result: I think this vulnerability is not a strange one; However, it is not very common. I had seen this vulnerability in some programs such as the old version of “hosting controller”!
———– End Example1 ———–
———– Begin Example2 ———–
Example2. (PHP, ?)
This is not new example but it is related to this subject.
Assume that we have:
1. SessionControl.php ->(Secured) which control the user’s session
2. EditContent.php -> by using this file, administrator can edit the website’s pages
3. AdminContent.php -> (Secured) which includes SessionControl.php and EditContent.php.
And assume that EditContent.php is something like this:
———– Begin EditContent.php ———–
<?
if (!isset($_SESSION['Level'])) exit();
if ($_SESSION['Level']==’admin’)
{
some lines of codes only for admin blah blah blah
}
?>
———– End EditContent.php ———–
You can easily see that EditContent.php is insecure because there is not any session_start() in it and everyone can set $_SESSION['Level']. Just like this: http://[something]/EditContent.php?_SESSION[Level]=admin
Note: php global variables must be on.
———– End Example2 ———–
So, you saw that the catastrophic vulnerability can easily create by the bad usage of “include” techniques.
Unfortunately, I understood that no one from Iran can see both of “www.secproject.com” and “soroush.secproject.com”.
I sent an email to my web support and wrote them about this problem. And they answered me:
“Thank you for contacting Online Support. Some countries and ISP’s actively block connections to our network. Unfortunately, this is not within our control. As we are able to visit your site without any issues there does not appear to be any errors on our end. We apologize for any inconvenience.”
So, could you please help me if you know how to solve this problem? Please send me an email to my yahoomail or write down your comments here.
Twitter
LinkedIn