Back to Epicmafia

Hidden Link Detector

The
over 9 years

https://greasyfork.org/en/scripts/11623-hidden-link-detector

As many of you know, hidden links can be a significant for threat one's security all throughout the Internet, not limited to just Epicmafia. To combat this threat, have made a greasemonkey script that will detect and alert you of any hidden links on the current page. This script works on every website, including sites that have real-time updates like Skype.

If you haven't already, install the tampermonkey extension for chrome or the greasemonkey extension for FireFox so you can install my script.

Instructions

Normal links will be unaffected, links that go to a destination other than what they appear to go to are highlighted in yellow, and any links that will run JavaScript when they're clicked are highlighted in red.

Hovering over the links will also show you the real destination, or in the case of a JavaScript link, the script that will be run when you click on it.

As always, notify me of any issues or exploits you may find in the script.

The
over 9 years
Both markdown and bbcode images are still exploitable, but if you only want foxie to email you, then that's fine.
admin
over 9 years
why thanks foxie, so kind of you to believe in me
cub
over 9 years
im proud of you phil
admin
over 9 years
if you know of anything else, email me foxie
admin
over 9 years
ok, i added some extra security in the last 10 minutes. let me know if you are able to break anything. thanks
Miloo7
over 9 years

Jaleb says


Miloo7 says

like people like croned who actually care about this site should be mod, not...


I didn't say mod. By staff I mean someone to code the site.


it's not like he's gonna get paid
cub
over 9 years
nevermind idk why my original hidden link doesn't work anymore but every single test alert does

bbcode already works fine, y ou can't hidden link those, it's markdown that's susceptible
The
over 9 years
He fixed that as well. He's detecting colons/spaces and removing the links that way, which I believe is how the bbcode works.
cub
over 9 years

Croned says

It's still not fixed. I think he just undid the progress he just made.


no he fixed regular javascript in front of links, which should stump most people, just needs to check for whitespace in front now since browsers ignore it when reading links

edit: nevermind, only the first hidden link was removed, not subsequent ones
The
over 9 years
It's still not fixed. I think he just undid the progress he just made.
cub
over 9 years
hope he didn't go to sleep before i edited my post
deletedover 9 years
bless
cub
over 9 years
now it's gone

you did it phil you're a hero

edit: space in front of javascript still works

[ fake link]( javascript:alert(0))

final hurdle just \w* it
cub
over 9 years
there's a simple hidden link on my profile you can use as reference

it still works, cleared cache
cub
over 9 years
you already handle bbcode properly, it's just markdown that has the problem

[ fake link](javascript:alert("ran"))
admin
over 9 years
ok, it should be fixed, foxie, could you check it for me?
admin
over 9 years
image is already fixed. i'll just check every link to make sure it is a well formed url before rendering
cub
over 9 years
this doesn't apply to image links, this is referring to the very old markdown link exploit

i pm'd you the exact exploit and solution, which is adding a check in the markdown for if a link begins with "javascript:"

if you're fixing image hidden links that's great, it was a far bigger problem, although this is an easy fix as well
admin
over 9 years
my ability to fix things is really just limited by my time and knowledge of an exploit
admin
over 9 years
foxie, i am now checking every image link to be valid before rendering. if you can demonstrate an xss, please do so and email me and i'll fix it
cub
over 9 years
loading the entire jquery library twice per page doesn't sound any better

intervals are still a bad idea, view source on what i linked to see the proper way to do it without running code constantly
The
over 9 years

cub says


also this isn't really a threat on any other website since they almost all properly sanitize input before parsing it.


Most allow you to insert custom text for your link text, which can be used to create a link that actually visits another destination (making any get request without CSRF verification vulnerable). Web Skype is vulnerable to this, which is why I added the interval. I should limit the interval to just Skype, though.

cub says

and far more so i recommend against loading the entirety of the jquery library in your script that barely needs it, big wasted request on every page


That's what every page with JQuery already does, including most pages on EM.
cub
over 9 years

Jaleb says

By staff I mean someone to code the site.


arcbell
Jaleb
over 9 years

Miloo7 says

like people like croned who actually care about this site should be mod, not...


I didn't say mod. By staff I mean someone to code the site.
deletedover 9 years
i think its safe to say if you had time to make this, you had time to make me a sandwich.


Spoiler
nice job