Back to Epicmafia

Hidden Link Detector

The
over 9 years

https://greasyfork.org/en/scripts/11623-hidden-link-detector

As many of you know, hidden links can be a significant for threat one's security all throughout the Internet, not limited to just Epicmafia. To combat this threat, have made a greasemonkey script that will detect and alert you of any hidden links on the current page. This script works on every website, including sites that have real-time updates like Skype.

If you haven't already, install the tampermonkey extension for chrome or the greasemonkey extension for FireFox so you can install my script.

Instructions

Normal links will be unaffected, links that go to a destination other than what they appear to go to are highlighted in yellow, and any links that will run JavaScript when they're clicked are highlighted in red.

Hovering over the links will also show you the real destination, or in the case of a JavaScript link, the script that will be run when you click on it.

As always, notify me of any issues or exploits you may find in the script.

cub
over 9 years
cub
over 9 years
remember dragon eggs or whatever that was
moon
over 9 years

mist says


xela says

*backflips into thread*

yo lucid, profile pets

*sashays outta here*


don't do this.

deletedover 9 years

xela says

*backflips into thread*

yo lucid, profile pets

*sashays outta here*


don't do this.
xela
over 9 years
*backflips into thread*

yo lucid, profile pets

*sashays outta here*
deletedover 9 years
BUT WAT IF THIS WILL HIDDEN LINK US???? WILL WE EVER BE SAFE????
deletedover 9 years
admin
over 9 years
alright thanks foxie. i'll turn it on. hopefully the server behaves ok
cub
over 9 years
i'll do it for tomorrow then
admin
over 9 years
well, we should test it out foxie. it'd be great help. why don't you craft a fake image, and i'll implement the code right now, see if you can spoof it. i really g2g now
cub
over 9 years
just keep up with the csrf, that'll solve it
admin
over 9 years
nah you can't, i have some tools that check to make sure it is a proper image now. i just need to turn it on. it costs me though, because i need to make a request for each image
cub
over 9 years
so really, checking if an image is even real doesn't matter, because you can fake a real image
cub
over 9 years
you can't prevent it in the bbcode/markdown itself, because i can simply host a fake image on my server that redirects to epicmafia.com/mod/action/refundgame etc
The
over 9 years
It's that or make sure there are no vulnerable get requests. And that means logging out users as well.
cub
over 9 years

admin says

correct foxie, i could reroute all the images through a central point in my server and check the destination, but it's more trouble than it's worth atm


no i mean the exploit uses the fact you assume (as you should) that a link ending in an image extension is an image

however, you aren't the one redirecting them, another server is

so the referrer won't be em if they redirect to an em action, so referrer is actually a simple check that works

of course, more security in the form of method checking/csrf is better
admin
over 9 years
should i check every bbcode image to make sure it's an image as well? might be costly to the server but w/e. right now i just check for proper extensions, but i suppose that can be faked
admin
over 9 years
correct foxie, i could reroute all the images through a central point in my server and check the destination, but it's more trouble than it's worth atm
The
over 9 years
He already has a working solution in the lobby banner images. It checks to make sure that the image is a real image. I don't see why he doesn't use it for bbcode as well.
admin
over 9 years
alright, enjoy your new orange
cub
over 9 years

Croned says


cub says

mass refunding by pming mods images for refunds was the real issue


Is it still? I mean, he hasn't fixed the bbcode images yet.


thread op, user bios, and mail use markdown

posts and comments use bbcode

would probably be better if they all use bbcode for consistency but they don't

image redirects can be done either way though, and they're completely unpreventable unless you check for method/csrf/referrer (yes, referrer works because it has to be routed through another domain to redirect back to em)
deletedover 9 years
sigh . . . im rejectedly ignored . . .
admin
over 9 years
sanctify, just email me the rgb value for the color you want
The
over 9 years

cub says


Croned says

Yes, that's recent, I assume because of the recent mass-friending that occured through the bbcode image exploit.


mass refunding by pming mods images for refunds was the real issue


Is it still? I mean, he hasn't fixed the bbcode images yet.
Sanctify
over 9 years
In "Break The Code" you have the brown then the orange in the bottom row, they both look really similar and it confused me and the person i was playing with earlier a lot.