Full Disclosure mailing list archives
Re: guess what this does..
From: Cal Leeming <cal () foxwhisper co uk>
Date: Wed, 13 Apr 2011 15:47:19 +0100
Well, the problem was the person(s) running the bots kept bypassing the simple protections such as these. Although it isn't 100% fool proof, it does make things *extremely* difficult for the person(s) with the bots, so much so, that they usually give up, unless they have specifically targeted you for some reason. So, instead we created hundreds of these little JS chunks, all with different lookup tables applied, and cycled them on an hourly basis. It meant if they wanted to continuously bot the service, they would have to de obfuscate the protection code, or find a mathmatical/bruteforce attack that would generate the seedkey for them. It would either involve manual intervention or code modification on the bot to make it work.. I'd have preferred to have added captcha, but there was a reasonable explanation as to why the client didn't want it. Either way, once we put this in, they gave up pretty quickly lol. On Wed, Apr 13, 2011 at 3:29 PM, Christian Sciberras <uuf6429 () gmail com>wrote:
Cal /Ryan, I'm not sure what you're trying to achieve. If we're talking about absolutely stupid bots, the following easily defeats them: <form> <stuff/> <script type=text/javascript>document.write('<input type="hidden" name="access" value="code"/>');</script> <form> I suppose you could obfuscate it all if you wanted to cater for script kiddies. But considering this is very weak protection (as opposed to proper captcha), I'm not sure if it's even worthwhile. One of the ways I can see this work is against automated, "JS-ignorant", MITM systems. As indeed is true, you should never trust the end user. But in a MITM scenario, the user we're not trusting is the one conducting the attack, not the other. Chris. On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming <cal () foxwhisper co uk> wrote:Lol, I've just realised something.. I didn't include the seed key variable itself, so this code would have been pretty much useless on it own *DOH*. So, here's something else a bit tasty.. this is the server side code used to check and create the seedkey itself (secret lookup table has been changed obv.). This code allows seedkeys to be generated from epoch time. Now, cryptographically I don't know how "sane" this is, but I'm fairly sure that if the lookup table contained large integers it would become almost impossible to do a pattern based brute force. I actually had quite a lot of fun trying to break my own code. :D PS) you have been awarded 1 internets. function get_valid_keys() { // Create key store $_s = array(); // Create valid key ranges (+900 seconds) for($x=300;$x>=900;$x+=300): $_s[] = $this->create_key($offset=$x); endfor; // Create valid key ranges (-900 seconds) for($x=300;$x>=-900;$x-=300): $_s[] = $this->create_key($offset=$x); endfor; $_s[] = $this->create_key(); return $_s; } function create_packed_key() { // Create a new valid key $key = $this->create_key(); // Now generate the packed key $k = array(); // Now convert it into an array for($x=0;$x<strlen($key);$x++): $_v = unpack("H*", $key[$x]); $k[]='\x'.$_v[1]; endfor; // Okay, here is your brand new shiney key, sir :) $m = '"'.implode('","', $k).'"'; $m = strrev($m); $_m = array(); for($x=0;$x<strlen($m);$x++): $_m[]=$m[$x]; endfor; return json_encode(implode("ZPAK", $_m)); } function create_key($offset=0) { // Secret key table, used to mix up the seed $enc = array( 0 => "67892", 1 => "3953", 2 => "49474", 3 => "494755", 4 => "30585", 5 => "30582", 6 => "20485", 7 => "20486", 8 => "97294", 9 => "10284" ); // Generate new seed $time = time(); if ($offset): $time=$time+$offset; endif; $c=(int)($time/$this->_security_key_refresh); $_c = "$c"; // Extract the last 5 digits of the number $char1 = substr($_c, strlen($c)-1, 1); $char2 = substr($_c, strlen($c)-2, 1); $char3 = substr($_c, strlen($c)-3, 1); $char4 = substr($_c, strlen($c)-4, 1); $char5 = substr($_c, strlen($c)-5, 1); // Lookup the modifier from the secret key table $mt1 = $enc[$char1]; $mt2 = $enc[$char2]; $mt3 = $enc[$char3]; $mt4 = $enc[$char4]; $mt5 = $enc[$char5]; // Generate a new key, based on the modifiers $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) + ($c+$mt5))/256); $key = "$key"; return $key; } On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <rdsears () mtu edu> wrote:Me thinks I may have it right (mostly)... It seems to be some jquery to append a hidden input element to the "theform" id (presumably a form on the page ;) ) called "seedkey", and has a value of whatever t is evaluated to (which I'm still stuck on as I don't know jquery much at all, so I can't figure out the s[] array, but I know it has something to do with the bracket notation...). ================================================= += Orig =+ $(function () { var _0xafd3 = ["\x74\x20\x3D\x20\x22", "", "\x6A\x6F\x69\x6E", "\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74", "\x72\x65\x70\x6C\x61\x63\x65", "\x22"]; eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi, _0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi, _0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) + _0xafd3[6]); var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E", "\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72", "\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", "\x76\x61\x6C\x75\x65", "\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"]; _n = $(_0x5bfa[0]); _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]); _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]); _n[_0x5bfa[3]](_0x5bfa[6], t); $(_0x5bfa[8])[_0x5bfa[7]](_n); }); += De-obfuscated =+ $(function () { var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split', 'replace', '"']; var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', 'name', 'seedkey', 'value', 'append', '#theform']; eval('t = "' + s['replace'](/ZPAK/gi, '')['replace'](/\",\"/gi, '')['replace'](/\"/gi, '')['split']('')['reverse']()['join']('') + '"'); _n = $('<input />'); _n['attr']('type', 'hidden'); _n['attr']('name', 'seedkey'); _n['attr']('value', t); $('#theform')['append'](_n); }); ================================================= Fun stuffs. I can haz a internetz? :-P Ryan ----- Original Message ----- From: "Cal Leeming" <cal () foxwhisper co uk> To: full-disclosure () lists grok org uk Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada Eastern Subject: [Full-disclosure] guess what this does.. $(function() { var _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]); var _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n); }); enjoy ;p ps) yes I obfuscated this, and no it doesn't contain any nasties. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- guess what this does.. Cal Leeming (Apr 12)
- Re: guess what this does.. Christian Sciberras (Apr 12)
- Message not available
- Re: guess what this does.. Cal Leeming (Apr 13)
- Re: guess what this does.. Christian Sciberras (Apr 13)
- Message not available
- Re: guess what this does.. -= Glowing Doom =- (Apr 13)
- Re: guess what this does.. Cal Leeming (Apr 13)
- Message not available
- Re: guess what this does.. Christian Sciberras (Apr 12)
- <Possible follow-ups>
- Re: guess what this does.. Cal Leeming (Apr 13)
- Re: guess what this does.. Christian Sciberras (Apr 13)
- Re: guess what this does.. Cal Leeming (Apr 13)
- Re: guess what this does.. Christian Sciberras (Apr 13)
- Re: guess what this does.. Chris M (Apr 13)
- Re: guess what this does.. Cal Leeming (Apr 13)
- Re: guess what this does.. huj huj huj (Apr 18)
- Re: guess what this does.. Cal Leeming (Apr 18)
- Re: guess what this does.. huj huj huj (Apr 18)
- Re: guess what this does.. Christian Sciberras (Apr 13)
- Re: guess what this does.. Cal Leeming (Apr 13)