Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - xartica

Pages: 1 [2]
16
Security - General / ZoneAlarm and Proxo
« on: March 10, 2002, 09:30:13 PM »
What kind of program is Proxomitron?
It is a PROXY SERVER.




ps
Yes, I'm seeing buggy behavior in ZAP3.0

 

17
Questions and Answers / HighLite list ?
« on: March 09, 2002, 08:59:36 PM »
The "BadWord" filter referred to above is slow because of its leading wildcard.
When writing filters, the goal should be to make it fail (NOT match) as soon as possible.

Below is a (fast) webfilter I wrote for a slightly different purpose.
It will ALMOST do what you want ~~ match against visible text and flag "keywords".

I say "almost" because it BRACKETS matched keywords with underscore characters, rather than actually inserting html tags in an attempt to highlight the text.
It does this because I haven't been able to figure out a BOUNDS or $NEST
argument that will prevent the filter from matching/replacing within TAGS, scripts, etc. (which would be a baaaaad thing)


Name = "word flagged when Keyword found"
Active = TRUE
Multi = " TRUE
Match = "(([^=])(s|   |[-\=:>'[(;?/.",]))1($LST(Naughty)([a-z-]+|))2"
Replace = "1______2______"


=============
long-winded explanation of the filter logic:

The core idea here is to match starting at beginning-of-words only.
          (Selectively ennumerating valid "leading" chars
           makes the filter quite a bit faster.)
In the match string, valid starting points (characters) are ennumerated as:
      s|   |[-\=:>'[(;?/.",]
in other words, a "word" can ONLY begin following a SPACE or TAB character,
or a dash, a backslash, a forward-slash, an equal sign, a colon...

(extra backslashes in it because some of the chars need to be "escaped")

So, the filter won't perform a lookup in your blocklist until it reaches one
of the "valid" characters. YOU MAY WANT TO ADD/DELETE "VALID"
CHARACTERS, INSTEAD OF USING EXACTLY THOSE I'VE LISTED.
 Yep, the filter only is SUPPOSED TO match from beginning-of-word;
 This special handling is due to how we (I) have defined a "word".

The tail-end argument
    ([a-z-]+|)
Is there to accomodate the replacement... and to enable you to use
word STEMS as blocklist items. (I wrote it this way for use in
a porn filter ~~ so that one blocklist item like "fat(-|s|ass|)"
can cover a lot of ground.) YOUR BLOCKLIST CAN ALSO CONTAIN
HYPHENATED WORDS, AND MULTIPLE WORDS (PHRASES).

=========Example:==========
That ending argument serves the purpose of including any extra, end-of-word,
characters in the match... but STILL allowing the match to return TRUE if
there aren't any extra ~~ if the word found in-page EXACTLY matches a
blocklist word.  Example: Put "curd" on a blocklist line, and the filter will
match 'curd', 'curdhead', 'curd-head', and 'CurdsRUs'.
It will not (by design) match "thecurd".
---------------------------


=============FOR FURTHER DEVELOPMENT===========
Here's my attempt at a "nested" version of the matchstring.
It didn't work as expected.

Match =
"$INEST(>,([^=])(s|   |[-\=:>'[(;?/.",])1($LST(Naughty)([a-z-]+))2,<)"

I'VE NEVER SEEN A PROX FILTER THAT IS CONSTRAINED TO MATCHING
ONLY *VISIBLE* TEXT WITHIN A PAGE, AND WOULD GREATLY APPRECIATE
ANY HELP TOWARD ACCOMPLISHING THIS.
===============================================



 

18
Block List Files / Bypass List
« on: March 08, 2002, 10:47:34 PM »
I don't know how helpful that would be.

the list of IPs // ranges would never match, unless you manually typed a numeric IP into your web browser's location bar as the host portion of a URL, or clicked on a link which explicitly referenced the host destination by IP.

Given a friendly (DNS) name as the destination URL ~~ which is the case nearly all the time ~~ neither the web browser nor the proxy can perform a "reverse DNS lookup" when pages are requested.



 

19
Site Specific / Un-Prefix URLs
« on: February 18, 2002, 10:11:52 PM »
This header filter watches for outbound URL requests, stuffs into a variable anything found after "http" or "ftp" ...and JUMPs to this tail-end destination.
It should handle what you're tring to do.

Look in your config and see if it's already in there & just not activated.
I thought it was a default filter (part of the Prox distribution package).

In = FALSE
Out = TRUE
Key = "URL: Un-Prefixer (Out)"
Match = "[^]+w[^a-z]((http|ftp)(%3A|:)(%2F|/)[^&]+)1"
Replace = "$JUMP($UESC(1))"

I use one or more of the WEBfilters posted earlier in this thread ~~ rather than this HEADER filter I'm posting.

One of the log-time Prox users, Homeric, still uses the header filter, but only for select sites. He sez:
"performs redirects on Altavista, Yandex, Rambler and Hotmail. It is preferable to use this filter than the unprefixer web filter, because it works faster. It is active on specific URLs to prevent errors."

FWIW, his URL line for this filter looks like this:
URL = "(www.|)((ya(ndex|).ru/redir)|altavista.com/r)|search.rambler.ru/click|64.4.[^/]+/cgi-bin/linkrd"


 

20
Security / Yet another IE vulnerability...
« on: February 14, 2002, 09:33:01 PM »
Paul, the exploit is real; it's not 'trickery'.

Mona posted a msg today
http://groups.yahoo.com/group/prox-list/message/10010

pointing to a news article
http://www.securityfocus.com/news/327
which reports that this new MS patch STILL doesn't
fix all the previously-reported vulnerabilities.

(sigh)

21
Security / Yet another IE vulnerability...
« on: February 14, 2002, 07:31:34 AM »
I just started messing with a downloaded copy of the page referenced.
So far, I haven't been able to find anything realy "tricky" to with it.
With 'codebase', I don't think arguments can be passed. This:

CODEBASE="c:/windows/explorer.exe /n,/e, f:"

didn't work when I tried it. Considering that both the call to C:cmd.exe and to cleanmgr.exe completely lockup my PC(Win98SE; MSIE5.5 SP2), it's something that I want to filter against... and the first time I locked up my PC by clicking, I sure felt "exploited"!

(I'm laughing at myself ~~
  "Doctor, when I stick a fork in my eye, it hurts...")



 

22
Feature-Block / onLoad by choice
« on: February 08, 2002, 06:58:30 AM »
quote:

Match = "#(onload="2')1#"



Nice use of the SmartQuotes, but what if there are NO quotes?

It's not well-formed HTML, but MSIE 5.5 would parse the following
just fine (and the onLoad code would elude the filter):

<html>
<body onload=alert(document.location)>
text here
</body>
</html>

Don't get me wrong ~~ I absolutely LOVE you filter idea. I would just hesitate to put it in place unless it's 100% reliable... and I'm not slick enough
(at least not at 12:40am) to figure out how to handle the above scenario.
niether $AV nor $AVQ would owrk, eh?
    ???
Match = "#((onload='|onload=)2&&('|))1#"

What I ESPECIALLY like about your filter is that it can be INTERACTIVE, rather that all-or-nothing. I think I'd expand the replacement to include a confirm,
ala:

Replace = "@"
  "<button style="border:none;background:red;text-align:center;width:100%;"
  "onclick="confirm('Prox trapped an onLoad event\nWanna run it?')"
  " 2">1</button><BR>"

...except I would ALSO try to use the 2 string twice ~~ DISPLAYING it in the confirm dialog as well as injecting it as javascript code to be executed.

Whaddya think?

23
Configuration Files / New Jor's config (Opera & Mozilla)
« on: January 20, 2002, 04:15:04 PM »
Within your "Fix MIME-types" blocklist, you have ennumerated these types:
================================
?htm $SET(0=text/html)
?html $SET(0=text/html)
css $SET(0=text/css)
# eml $SET(0=text/html)
exe $SET(0=application/octet-stream)
htm $SET(0=text/html)
html $SET(0=text/html)
js  $SET(0=text/javascript)
mid $SET(0=audio/mid)
mp3 $SET(0=audio/x-mpeg)
rar $SET(0=application/x-rar-compressed)
swf $SET(0=application/x-shockwave-flash)
txt $SET(0=text/plain)
xml $SET(0=text/xml)
zip $SET(0=application/x-zip-compressed)
================================


Questions:

            ?htm $SET(0=text/html)
            ?html $SET(0=text/html)
--------------^ What are these (these types)?
Is the purpose here to match sililar, yet less-common, file extensions such as "phtm" and "phtml"... as well as the more common .shtm // .shtml files ?

Why is it necessary to ennumerate all these types?
(I'm not suggesting it's unnecessary. I'm just confused.)
Won't the "unknown types handler" header filter act as a cure-all?
If not, should I ennumerate .cgi , .pl, and file extensions, as well?



 

24
Configuration Files / New Jor's config (Opera & Mozilla)
« on: January 20, 2002, 03:46:04 PM »
Within your latest "Bypass_List.txt" are the lines
=================
# M$' move to XML makes it impossible to filter...
(*.)microsoft.com/
=================

I haven't found many MS pages that are XML.
Where are you entountering them? (MSDN site? Search pages?)


Pages: 1 [2]