9

We have a relatively popular website, and recently we started seeing some strange URL's popping up in our logs. Our pages reference jQuery and we started seeing pieces of those scripts being inserted into URL's. So we have logging entries like this:

    /js/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g?d(

The User Agent string of the Request is Java/1.6.0_06, so I think we can safely assume it's a bot that's probably written in Java. Also, I can find back the piece of appended code in the jQuery file.

Now, my question is why would a bot try to insert referenced Javascript into the URL?

Improve this question
1

2 Answers 2

Reset to default
8

It may not be specifically targeted at your site -- it may be a shotgun attempt to find XSS-able sites so that an attacker later can figure out what's stealable and craft an attack and write a web-page to deploy it against real users.

In that cases, the attacker may use bots to collect HTML from sites, and then pass that HTML to instances of IE running on zombie machines to see what messages get out.

I don't see any active payload here so I assume you've truncated some code here, but it looks like JSCompiled jQuery code that probably uses jQuery's postMessage so it's probably an attempt to XSS your code to exfiltrate user data or credentials, install a JavaScript keylogger, etc.

I would grep through your JavaScript looking for code that does something like

eval(location.substring(...));

or anything that uses a regexp or substring call to grab part of the location and uses eval or new Function to unpack it.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Also, it might be a good idea to block these user agents: tacticaltechnique.com/how-to/block-java-user-agents
@karim79, Yeah. Can't hurt to interrupt any reconnaissance.
The example url is really all there is. Could it be some kind of two-step process? First inserting pieces of js that look like "trusted" by the original website and check whether the returnin page renders it in some kind? And then referencing it somewhere else with custom js?
@Thomas, If you're asking whether the code might be downloading the main payload from somewhere else, then yes, that is a common tactic. If you're asking whether the other half of the payload is likely to be injected later, then no. If someone is planning to attack, why would try half of an attack when they have a full attack ready? That could only alert the target. I think it's more likely an attempt to probe defenses, or inject a persistent XSS -- by PUTting something with a path, maybe they can persist JavaScript into a site directory that will XSS other pages.
@winSharp93, quite right. There are a lot of ways to turn a string into code in the browser: innerHTML, document.write, .href= with javascript: or similar, and on some older browsers CSS is dangerous as in .style.color = 'expression(...)' or 'moz-binding', and browsers are always adding new mechanisms like iframe.srcdoc.
|
3

Checking for Cross Site Scripting vulnerabilities, maybe.

If the bot detects a successful injection, it might inject dangerous code (e.g. stealing your users' passwords or redirecting them to malicious sites).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.