Author Topic: web beacon found within stylesheet linkTag  (Read 2599 times)

xartica

  • Newbie
  • *
  • Posts: 38
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
web beacon found within stylesheet linkTag
« on: May 22, 2002, 07:17:14 AM »
--- (in the Yahoo!Prox-list forum) Michael B?rschgens wrote:
> I've found the following line in a webpage:
>
> <link rel=stylesheet type="text/css"
> href="http://www.house27.ch/counter/trans.php?ID=9322">
>
> Since I've never seen this before I think it is a new idea to slip
> through filters.

--- my reply:

Yep, it's definitely a web beacon ~~ calling that URL returned
a zero-length text/html content-typed document.

Here's the counteracting webfilter I propose:

Name = "strip web beacons posing as stylesheets"
Active = TRUE
Bounds = "<links*>
Limit = 512
Match = "*rel=$AV(stylesheet)*&"
-indent-"*href=$AV(*([?=]|.pl|.php|.cgi)*)"
-indent-"|(^*href=$AV(*(.css|.txt)*))"

Here's my rationale:

~~ 512byte limit because the LINK tag may be padded with with several
attributes

~~ path to a valid CSS should never have a questionMark or equalSign
(I've seen valid stylesheets returned with commas in the path, FWIW)

~~ the file extension patterns might seem "obvious" but if they're
not explicitly stated, "href=pathname/MuckUp.css.cgi" could slip by

~~ Although dot-css is the convention, I continually encounter a lot
of dot-txt -named stylesheets


Discussion invited:
Should the filter also include (look for) .asp and other executables?
I think accounting for the common script extensions is enough ~~
because, eventually... some dastardly weenie will just
serve all his stylesheets from a www2.domain.com webserver which has configured so that ".css" files are associated with (handled by) perl and are executable. The script will transparently count ya & will return the (a) valid stylesheet.

-xartica


 
 

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
web beacon found within stylesheet linkTag
« Reply #1 on: May 22, 2002, 09:25:09 AM »
This is very nice. I only get it to work when I remove the backslash in red though:

Match = "*rel=$AV(stylesheet)*&"

Thanks for this filter!


Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne