Back to Epicmafia

Hidden Link Detector

almost 11 years

https://greasyfork.org/en/scripts/11623-hidden-link-detector

As many of you know, hidden links can be a significant for threat one's security all throughout the Internet, not limited to just Epicmafia. To combat this threat, have made a greasemonkey script that will detect and alert you of any hidden links on the current page. This script works on every website, including sites that have real-time updates like Skype.

If you haven't already, install the tampermonkey extension for chrome or the greasemonkey extension for FireFox so you can install my script.

Instructions

Normal links will be unaffected, links that go to a destination other than what they appear to go to are highlighted in yellow, and any links that will run JavaScript when they're clicked are highlighted in red.

Hovering over the links will also show you the real destination, or in the case of a JavaScript link, the script that will be run when you click on it.

As always, notify me of any issues or exploits you may find in the script.

almost 11 years
almost 11 years
remember dragon eggs or whatever that was
almost 11 years

mist says


xela says

*backflips into thread*

yo lucid, profile pets

*sashays outta here*


don't do this.

deletedalmost 11 years

xela says

*backflips into thread*

yo lucid, profile pets

*sashays outta here*


don't do this.
almost 11 years
*backflips into thread*

yo lucid, profile pets

*sashays outta here*
deletedalmost 11 years
BUT WAT IF THIS WILL HIDDEN LINK US???? WILL WE EVER BE SAFE????
deletedalmost 11 years
almost 11 years
alright thanks foxie. i'll turn it on. hopefully the server behaves ok
almost 11 years
i'll do it for tomorrow then
almost 11 years
well, we should test it out foxie. it'd be great help. why don't you craft a fake image, and i'll implement the code right now, see if you can spoof it. i really g2g now
almost 11 years
just keep up with the csrf, that'll solve it
almost 11 years
nah you can't, i have some tools that check to make sure it is a proper image now. i just need to turn it on. it costs me though, because i need to make a request for each image
almost 11 years
so really, checking if an image is even real doesn't matter, because you can fake a real image
almost 11 years
you can't prevent it in the bbcode/markdown itself, because i can simply host a fake image on my server that redirects to epicmafia.com/mod/action/refundgame etc
almost 11 years
It's that or make sure there are no vulnerable get requests. And that means logging out users as well.
almost 11 years

admin says

correct foxie, i could reroute all the images through a central point in my server and check the destination, but it's more trouble than it's worth atm


no i mean the exploit uses the fact you assume (as you should) that a link ending in an image extension is an image

however, you aren't the one redirecting them, another server is

so the referrer won't be em if they redirect to an em action, so referrer is actually a simple check that works

of course, more security in the form of method checking/csrf is better
almost 11 years
should i check every bbcode image to make sure it's an image as well? might be costly to the server but w/e. right now i just check for proper extensions, but i suppose that can be faked
almost 11 years
correct foxie, i could reroute all the images through a central point in my server and check the destination, but it's more trouble than it's worth atm
almost 11 years
He already has a working solution in the lobby banner images. It checks to make sure that the image is a real image. I don't see why he doesn't use it for bbcode as well.
almost 11 years
alright, enjoy your new orange
almost 11 years

Croned says


cub says

mass refunding by pming mods images for refunds was the real issue


Is it still? I mean, he hasn't fixed the bbcode images yet.


thread op, user bios, and mail use markdown

posts and comments use bbcode

would probably be better if they all use bbcode for consistency but they don't

image redirects can be done either way though, and they're completely unpreventable unless you check for method/csrf/referrer (yes, referrer works because it has to be routed through another domain to redirect back to em)
deletedalmost 11 years
sigh . . . im rejectedly ignored . . .
almost 11 years
sanctify, just email me the rgb value for the color you want
almost 11 years

cub says


Croned says

Yes, that's recent, I assume because of the recent mass-friending that occured through the bbcode image exploit.


mass refunding by pming mods images for refunds was the real issue


Is it still? I mean, he hasn't fixed the bbcode images yet.
almost 11 years
In "Break The Code" you have the brown then the orange in the bottom row, they both look really similar and it confused me and the person i was playing with earlier a lot.