the bad guys use document.write() to
write code into your HTML files.
I've written about this here:
Using a Hex Decoder
There's a variation on this approach
that I'm writing about today.
Yes, the argument to document.write()
can be encoded in hexidecimal.
However, another bad-guy strategy is to
use the Javascript concatenation operator
instead.
document.write() is Javascript.
In Javascript, the plus sign is the
concatentation operator. In
mathematics, the plus sign is the
addition operator.
Basically, Javascript allows you
to add two strings together to make
a longer string.
The bad guys will obfuscate the URL
by breaking it up into a lot of little
strings that are concatenated into one
string.
To do this, they may use 25 or more plus
operators like this:
"string1" + "string2" + "string3"
Here are 2 key differences between their
strings and my strings.
- Their strings are much shorter than
mine. In some cases, just one character
long. - Their strings concatenated together
spell out a URL (web address), a bad
guy web address
All this in the name of obfuscation.
Basically, they are trying to make it
hard for you to distinguish their code
from the code that belongs on your website.
Here's an oversimplification of what they
do:
document.write("a" + "b" + "c") ;
I've just given you an oversimplified example.
Now, here's a oversimplified solution.
Start looking for document.write() commands
in your code.
Be careful, though. Some document.write()
commands are legitimate and some are not.
You don't want to remove the legitimate ones.
More later.
Ed Abbott
No comments:
Post a Comment