Aggressive ISP injected/embedded scripts/ads blockable

Posting here is no longer possible, please use the forum of a filter list project, such as EasyList
Locked
timo
Posts: 3
Joined: Tue Aug 09, 2011 8:22 pm

Aggressive ISP injected/embedded scripts/ads blockable

Post by timo »

How would ABP be able to effectively block out scripts and ads that are embedded by the ISP directly into html from any website I visit?

There is no 3rd party domain. The html is modified/hijacked/embedded (not sure what one calls it) with new code. I will try to provide a example. Visit http://www.w3.org/XML/2009/xml-names-errata, red color source are injected by ISP, the underlined numbers after the domain is random every time page is reloaded.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><script src='http://www.w3.org/[u]9t4644308c54a31[/u]/XML/2009/xml-names-erratap'></script><meta content="text/html; charset=utf-8" http-equiv="Content-Type"/><title>
Namespaces in XML 1.0 (Third Edition)
Errata
</title><style type="text/css">
body {
background: white;
color: black;
}
h3 {
background: #C8C8C8;
padding: 2ex;
text-align: center;
}
blockquote { font-family: Arial, Helvetica, sans-serif; }
.quote { font-family: Arial, Helvetica, sans-serif; }
span.editor { color: red; display: inline }
.diff-add { background-color: yellow; }
.diff-chg { background-color: lime; }
.diff-del { text-decoration: line-through; }
</style></head><body><script src='/8ua1082638cb741/XML/2009/xml-names-erratal'></script><p><a href="http://www.w3.org/"><img border="0" align="left" src="http://www.w3.org/Icons/w3c_home.gif" hspace="0" alt="W3C"/></a></p><br clear="all"/>
<h1 align="center">
Namespaces in XML 1.0 (Third Edition)
Errata, 3 August 2009</h1>
<h2>Known Errors</h2>
<p>None so far</p>
</body></html>
If we follow the script src, it loads some js:
if(self==top){(function(){var g=function(a){var d=document,h=d.getElementsByTagName("head")[0] || d.documentElement,j=d.createElement("script");j.type="text/javascript";j.src=a;h.insertBefore(j,h.firstChild);};g("http://www.w3.org/7b236c54c32f052/XML/2 ... es-erratap");})()}
And loading http://www.w3.org/7b236c54c32f052/XML/2 ... es-erratap give this monster:

Code: Select all

w9a="www.w3.org";w9b="/XML/2009/xml-names-errata";w9c="9f0548e1280538";w9d=0;if(typeof(top.wnpba)=='undefined') {top.wnpba=1;/* v3.3.9/20110720 */eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('k(1k(c)==\'P\')c=1i 5Y;k(!c)o c={};c.9e=\'cM.cN.4C.4n\';c.9={};c.9.8v=cJ;c.9.9t=7k;c.9.5P=1i ai;c.9.5P.S="2m://"+c.9e+"/ae/5K.cG";c.9.4N={};c.9.1J={};c.9.1v=1v;c.9.N=N;c.9.Y=1T;c.9.39=5Y.2s.aj;c.9.a4=A(5X){8z 5X};c.9.29=A(5X){o 9d=O;k(9d&&13.9c)13.9c.c1(5X)};c.9.1E=A(1p){C c.9.39.1U(1p)==="[3c 

............snipped off due to size..........

{b.D($47)});2G.D("27","17").1x()})})()}})};c.6Z=A(2H){o 3R=15.3R;k(9.5g(2H)){9.11(2H,A(i,d){o u="2m://"+d+"/"+3R.2E("//")[1].2E("/")[1];9.44(u,O,R)})}G{o u="2m://"+2H+"/"+3R.2E("//")[1].2E("/")[1];9.44(u,O,R)}};o 9r=A(){o 3k=9.1l("3V")&&(w.J()==15.4I);k(3k){15.F=15.7C;15.J=15.4I}};k(9.1v==9.N){k(!8p())C;9r();9G();9.28(13,"3Q",A(){3D.aC()})}});',62,845,'|||||||||wapi|||w8be271434|||||this|||if||||var||el||||||||||function|options|return|css||height|else||els|width|length|name|value|top|false|undefined|left|true|src|target|property|attr|test|fn|doc|type||each||window|break|oMspace||hidden|style|position|key|loader|case|for|display|ads|nodeType|div|new|push|typeof|browser|popup|content|null|obj|callback|append|pos|id|banner|self|result|remove|speed|arguments|opacity|child|show|complete|isFunction|script|body|data|absolute|module|ret|shadow|idx|xmlhttp|logo|try|catch|none|node|document|call|100|overflow|len|close|auto|img|timer|ua|parseFloat||support|parent|visibility|bind|debug|flash|tick|ie|html|in|elem|set|index|get|status|tag|zIndex|http|container|Date|setCss|nodeName|className|prototype|apply|frame|hover|box|queue|animate|visible|win|wmode|px|iframe|split|callee|eToolBar|domain|run|Math|padding|inheritHandler|main|params|selector|variable|stop|bottom|aEl|extHeight|getElementsByTagName|wh|switch|util|aPro|defaultView|documentElement|unbind|nodes|listener|backgroundPosition|parentNode|toggle|replace|childNodes|str|getAttribute|param|object|reg|appendChild|bindScope|event|url|source|head|iphone|setTimeout|func|block|domReady|runner|bar|pre|scrollTop|deep|ready|scroll|isloaded|CSS1Compat|toUpperCase|offset|ie6|fixed|hid|oUtil|unBindHide|cssHook|duration|copy|while|easing|createElement|onpage|extend|lastestParams|adWidth|extParent|load|closeUrl|isFixed|eFirstDiv|currentStyle|mobile|bannerPos|method|class|find|w9d|resize|isremote|tl|include|frameLoaded|text|animatePadding||oldPadding|cache|border|10px|opaque|readyState|sIeNewObjHTML|parseInt|enabled|first|isResize|mouseout|tagName|xml|com|mouseover|redirect|flag|background|5px|curTime|right|toLowerCase|click|fixedNodes|init|RegExp|innerHTML|nodesHandler|wishfi|hover_timer|scope|isUrl|safari|999999|iphoneW|mPos|isrun|onclick|reqDomain|app|async|end|frames|sc|addEventListener|cssProps|isNaN|isPlainObject|filter|open|isSet|w9b||ownerDocument|adsureKey|isOffset|getComputedStyle||inline|isFrame|transparent|isReset|setAttribute|firstChild|togglelock|_cl|keys|create|isArray|regexp|onload|num|NaN|join|setInterval|range|char|distance|ceil|toArray|pt|em|refresh|drag|000000|lastTop|oNewDiv|createClass|onResize|merge|maxWidth|string|hasLoaded|loaderShadow|needLoader|DOMLoader|adUrl1|adUrl2|loading|resetBg|bindHandler|relative|aFn|loaderImage|ajax|margin|embed|bannerSeparateLine|success|appendTo|getAttributeNode|msg|Object|random|cloneNode|max|oNewEl|replaceNode||ActiveXObject|XMLHTTP|replaceChild|onreadystatechange|static|sendRemote|hasOwn|paramElement|counter|fns|on|logoParams|cssFloat|notXML|isReady|clParams|bannerParams|undoResize|time|normalize|client|add|doResize|moduleName|concat|getElementsByClassName|failed|opera|txt|aOldBgPosition|_module|isEmptyObject|createFn|prop|removeChild|_sendHttpReq|factory|bgParams|bindEvent|loaderScreen|isDragged|clientX|clientY|xhr|w9c|mousemove|responseText|loaderImg|mouseMove|regexes|types|fragment|constructor|scriptElements|delete|phone|_clBroadcast|all|scY|createExpandable|offsetY|addListener||domready|u00c0|descendant|mouseup|radius|mouseUp|isinit|2px|no|attachEvent|offsetX|old|alpha|zoom|1000|android|bindReady|getBoundingClientRect|ajaxCreate|clearTimeout|isset|float|unit|getWH|next|bindLoader|animatelock|aTop|cssText|clickUrl|setPosition|minWidth|iphoneH|containerid|bodyBg|htmlBg|loaded|oldBgPosition|logoUrl|exec|scrollHandler|start|embedElement|newClass|1311302586|objectElement|_cl1|728|backgroundImage|bgReg|area|mspace|insertBefore|214748364|newDiv|setWidth||hasTrans|oParamElement|adHeight|npba|GET|aNodes|itunes|XMLHttpRequest|form|_el|tID|api|w9a|tags|isOverflow|space|removeHover|w8bab8766d|bgUrl|getSelection|mouseRange|move|image|mousedown|isShow|x1|offsetParent|320|getSize|min|refreshTimer|y0|x0|y1|throw|span|toolbar|utf|500|reqPage|showInnerHTML|charset|setRequestHeader|200|300|important|getPos|3j077fe6ad1b50B45|setBg|insertToolBar|swap|substr|ciUrl|getTime|wlmt|previousSibling|javascript|createTextNode|bannerPosition|fieldset|table||site|to|uFFFF_|Top|continue|boolean|minHeight|SymbianOS||bindScroll|setAbs|console|debugMode|serverName|setFixed|msie|windows|ipad|firefox|chrome|w_|Array|last|frameBorder|nextSibling|480|chkSize|wnp|endLoadingTimer|special|props|isXML|setAbsolute|inlineBlock|chkReg|childProcess|tagProcess|getElementById|idProcess|descendantProcess|classProcess|useSimpleDiv|selectorHandler|default|querySelectorAll|isVisible|abs|hasAttr|title|CLOSE|DOMContentLoaded|tabIndex|frameElement|reSet|doScroll|player|href|useFixAdt|ls1|blur|20px|useDefaultAdt|webkit|10000|w17f3a22ad|erro|paddingBottom|loadbar|solid|Msxml2|16px|clearInterval|tabindex|101||common|Microsoft|createRequest|loadHandler|Image|toString|redir|send|destUrl|wmodeReg|unScroll|paddingTop|doScrollLoader|_showBar|_minimizeToolbar|allowScriptAccess|FFFFFF|high|application|restore|aParams|focus|widget|handler|flashHandler|always|moz|quality|chkAsolute|3px|mini|center|maxHeight|overflowX|Bottom|compatMode|BackCompat|104|105|640|106|lastChild|tbody|htmlFor|useMap|usemap|colSpan|colspan|frameborder|vspace|150|nodeValue|input|button|30000|rowSpan|readOnly|readonly|offsetWidth|align||maxlength|maxLength|rowspan||cellSpacing|cellspacing|write|js|ms|clBroadcast|was|SCRIPT|_|uFFFF|minimizeBar|closeBar|_blank|tr|readystatechange|iterations|color|slice|td|getAgentCookie|showBar|setAgentCookie|header|bodyHeight|backgroundAttachment|outerHTML|repeat|1px|clone|backgroundRepeat|103|hasEvent|count|createDocumentFragment|onerror|ul|userAgent|symbian|alt|line|wm|twitter|styleswitcher|initial|focusin|102|log|black|3j077fe6ad1b50|wfb6e28986|with|enableClose|expandable|removeAllRanges|180|logoImgSrc|logoScript|rows|specified|substring|inID|hasOwnProperty|encodeURIComponent|absoluteNodes|control|Function|urlencoded|www|outID|POST|selection|empty|verticalAlign|baseline|textDecoration|2147483647|indent|allowTransparency|allowtransparency|hspace|marginWidth|marginHeight|scrolling|movie|scrollHeight|topleft|logoPos|gif|shockwave|scrollLeft|1000000|delivery|1006px|panel|singapore|iphoneScreenW|WF_getToolbarHeight|search|change|select|mouseleave|mouseenter|dblclick|submit|keydown|171|error|keyup|keypress|unload|focusout|fontWeight|lineHeight|styleFloat|20101215|WF_getNamespace|navigator|v1|backgroundPositionY|backgroundPositionX|png|WF_VERSION|base|cancelBubble|Width|Height|Left|HTML|detachEvent|BODY|scrollTo|meta|isPrototypeOf|slow|fast|ig|activeElement|borderBottom|innerWidth|mainAd|dev|number|removeEventListener|inner|stopPropagation|borderTop'.split('|'),0,{}))
}
I can block the resulting images and ads but can't hide the 90px of blank space on top of page. Is there any way to block this piece of shit earlier rather than later?

Will appreciate if you guys can give it a shot.
Gingerbread Man

Re: Aggressive ISP injected/embedded scripts/ads blockable

Post by Gingerbread Man »

I don't suppose getting a better ISP is an option?

The script appears to be first-party and to reference a path that is a random alphanumeric string of 16 characters. So you should be able to create a filter using regular expressions that will do the trick.
:arrow: adblockplus.org/en/filters#regexps

I've tested this and it should do what you want, but I'm providing it as-is, without any guarantees of any kind ;) Someone well-versed in regular expressions may provide you with a better filter.

Code: Select all

/\u002F[a-z0-9]{15}\u002F/$script,~third-party
timo
Posts: 3
Joined: Tue Aug 09, 2011 8:22 pm

Re: Aggressive ISP injected/embedded scripts/ads blockable

Post by timo »

Thanks Gingerbread Man! Your little bit of regex magic killed it off very nicely. :D

Many long suffering Starhub ISP users from Singapore will love this!
User avatar
Gingerbread Man
Posts: 1339
Joined: Fri Aug 12, 2011 5:28 am

Re: Aggressive ISP injected/embedded scripts/ads blockable

Post by Gingerbread Man »

You're welcome :)

I suppose I should mention I used hex instead of forward slashes only because I found them more readable. The following is equivalent to the above:

Code: Select all

/\/[a-z0-9]{15}\//$script,~third-party
It would be nice if someone knew how to make it more specific. The odds of false positives are a little high for my linking. For example, this filter would also block

http://www.example.com/photoalbums2011/harmless_script.js
timo
Posts: 3
Joined: Tue Aug 09, 2011 8:22 pm

Re: Aggressive ISP injected/embedded scripts/ads blockable

Post by timo »

Yes tightening it up a bit would be nice.

I was actually looking high and low for some form of system variables or escape sequences that can be used in a filter to represent the domain and path parts. Something like:

If url = http://www.w3.org/XML/2009/xml-names-errata
%domain% = http://www.w3.org
%path% = /XML/2009/xml-names-errata

and possibly allow a filter like this: %domain%/*/%path%

Anyhow, your regex filter is working beautifully, seeing it blocked over 500 hits in 1 day of speeded up browsing is really great, thanks again.
User avatar
Gingerbread Man
Posts: 1339
Joined: Fri Aug 12, 2011 5:28 am

Re: Aggressive ISP injected/embedded scripts/ads blockable

Post by Gingerbread Man »

timo wrote:I was actually looking high and low for some form of system variables or escape sequences that can be used in a filter to represent the domain and path parts.
There aren't any as far as I can see.
timo wrote:%domain% = http://www.w3.org
I don't see what good this would do. The filter is already restricted to first-party scripts. As for matching against the script target, you have an example that begins with a slash rather than the domain name:

Code: Select all

<script src='/8ua1082638cb741/XML/2009/xml-names-erratal'></script>
timo wrote:Anyhow, your regex filter is working beautifully, seeing it blocked over 500 hits in 1 day of speeded up browsing is really great, thanks again.
You're quite welcome.
gingerbreadmansavedmybrowser

Re: Aggressive ISP injected/embedded scripts/ads blockable

Post by gingerbreadmansavedmybrowser »

IT WORKS, GINGERBREADMAN <3 <3!!!

no more annoying starhub banners!
Locked