Aggressive ISP injected/embedded scripts/ads blockable

Posting here is no longer possible, please use the forum of a filter list project, such as EasyList

Aggressive ISP injected/embedded scripts/ads blockable

Postby timo » Tue Aug 09, 2011 8:54 pm

How would ABP be able to effectively block out scripts and ads that are embedded by the ISP directly into html from any website I visit?

There is no 3rd party domain. The html is modified/hijacked/embedded (not sure what one calls it) with new code. I will try to provide a example. Visit http://www.w3.org/XML/2009/xml-names-errata, red color source are injected by ISP, the underlined numbers after the domain is random every time page is reloaded.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><script src='http://www.w3.org/9t4644308c54a31/XML/2009/xml-names-erratap'></script><meta content="text/html; charset=utf-8" http-equiv="Content-Type"/><title>
Namespaces in XML 1.0 (Third Edition)
Errata
</title><style type="text/css">
body {
background: white;
color: black;
}
h3 {
background: #C8C8C8;
padding: 2ex;
text-align: center;
}
blockquote { font-family: Arial, Helvetica, sans-serif; }
.quote { font-family: Arial, Helvetica, sans-serif; }
span.editor { color: red; display: inline }
.diff-add { background-color: yellow; }
.diff-chg { background-color: lime; }
.diff-del { text-decoration: line-through; }
</style></head><body><script src='/8ua1082638cb741/XML/2009/xml-names-erratal'></script><p><a href="http://www.w3.org/"><img border="0" align="left" src="http://www.w3.org/Icons/w3c_home.gif" hspace="0" alt="W3C"/></a></p><br clear="all"/>
<h1 align="center">
Namespaces in XML 1.0 (Third Edition)
Errata, 3 August 2009</h1>
<h2>Known Errors</h2>
<p>None so far</p>
</body></html>


If we follow the script src, it loads some js:

if(self==top){(function(){var g=function(a){var d=document,h=d.getElementsByTagName("head")[0] || d.documentElement,j=d.createElement("script");j.type="text/javascript";j.src=a;h.insertBefore(j,h.firstChild);};g("http://www.w3.org/7b236c54c32f052/XML/2009/xml-names-erratap");})()}


And loading http://www.w3.org/7b236c54c32f052/XML/2009/xml-names-erratap give this monster:

Code: Select all
w9a="www.w3.org";w9b="/XML/2009/xml-names-errata";w9c="9f0548e1280538";w9d=0;if(typeof(top.wnpba)=='undefined') {top.wnpba=1;/* v3.3.9/20110720 */eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('k(1k(c)==\'P\')c=1i 5Y;k(!c)o c={};c.9e=\'cM.cN.4C.4n\';c.9={};c.9.8v=cJ;c.9.9t=7k;c.9.5P=1i ai;c.9.5P.S="2m://"+c.9e+"/ae/5K.cG";c.9.4N={};c.9.1J={};c.9.1v=1v;c.9.N=N;c.9.Y=1T;c.9.39=5Y.2s.aj;c.9.a4=A(5X){8z 5X};c.9.29=A(5X){o 9d=O;k(9d&&13.9c)13.9c.c1(5X)};c.9.1E=A(1p){C c.9.39.1U(1p)==="[3c

............snipped off due to size..........

{b.D($47)});2G.D("27","17").1x()})})()}})};c.6Z=A(2H){o 3R=15.3R;k(9.5g(2H)){9.11(2H,A(i,d){o u="2m://"+d+"/"+3R.2E("//")[1].2E("/")[1];9.44(u,O,R)})}G{o u="2m://"+2H+"/"+3R.2E("//")[1].2E("/")[1];9.44(u,O,R)}};o 9r=A(){o 3k=9.1l("3V")&&(w.J()==15.4I);k(3k){15.F=15.7C;15.J=15.4I}};k(9.1v==9.N){k(!8p())C;9r();9G();9.28(13,"3Q",A(){3D.aC()})}});',62,845,'|||||||||wapi|||w8be271434|||||this|||if||||var||el||||||||||function|options|return|css||height|else||els|width|length|name|value|top|false|undefined|left|true|src|target|property|attr|test|fn|doc|type||each||window|break|oMspace||hidden|style|position|key|loader|case|for|display|ads|nodeType|div|new|push|typeof|browser|popup|content|null|obj|callback|append|pos|id|banner|self|result|remove|speed|arguments|opacity|child|show|complete|isFunction|script|body|data|absolute|module|ret|shadow|idx|xmlhttp|logo|try|catch|none|node|document|call|100|overflow|len|close|auto|img|timer|ua|parseFloat||support|parent|visibility|bind|debug|flash|tick|ie|html|in|elem|set|index|get|status|tag|zIndex|http|container|Date|setCss|nodeName|className|prototype|apply|frame|hover|box|queue|animate|visible|win|wmode|px|iframe|split|callee|eToolBar|domain|run|Math|padding|inheritHandler|main|params|selector|variable|stop|bottom|aEl|extHeight|getElementsByTagName|wh|switch|util|aPro|defaultView|documentElement|unbind|nodes|listener|backgroundPosition|parentNode|toggle|replace|childNodes|str|getAttribute|param|object|reg|appendChild|bindScope|event|url|source|head|iphone|setTimeout|func|block|domReady|runner|bar|pre|scrollTop|deep|ready|scroll|isloaded|CSS1Compat|toUpperCase|offset|ie6|fixed|hid|oUtil|unBindHide|cssHook|duration|copy|while|easing|createElement|onpage|extend|lastestParams|adWidth|extParent|load|closeUrl|isFixed|eFirstDiv|currentStyle|mobile|bannerPos|method|class|find|w9d|resize|isremote|tl|include|frameLoaded|text|animatePadding||oldPadding|cache|border|10px|opaque|readyState|sIeNewObjHTML|parseInt|enabled|first|isResize|mouseout|tagName|xml|com|mouseover|redirect|flag|background|5px|curTime|right|toLowerCase|click|fixedNodes|init|RegExp|innerHTML|nodesHandler|wishfi|hover_timer|scope|isUrl|safari|999999|iphoneW|mPos|isrun|onclick|reqDomain|app|async|end|frames|sc|addEventListener|cssProps|isNaN|isPlainObject|filter|open|isSet|w9b||ownerDocument|adsureKey|isOffset|getComputedStyle||inline|isFrame|transparent|isReset|setAttribute|firstChild|togglelock|_cl|keys|create|isArray|regexp|onload|num|NaN|join|setInterval|range|char|distance|ceil|toArray|pt|em|refresh|drag|000000|lastTop|oNewDiv|createClass|onResize|merge|maxWidth|string|hasLoaded|loaderShadow|needLoader|DOMLoader|adUrl1|adUrl2|loading|resetBg|bindHandler|relative|aFn|loaderImage|ajax|margin|embed|bannerSeparateLine|success|appendTo|getAttributeNode|msg|Object|random|cloneNode|max|oNewEl|replaceNode||ActiveXObject|XMLHTTP|replaceChild|onreadystatechange|static|sendRemote|hasOwn|paramElement|counter|fns|on|logoParams|cssFloat|notXML|isReady|clParams|bannerParams|undoResize|time|normalize|client|add|doResize|moduleName|concat|getElementsByClassName|failed|opera|txt|aOldBgPosition|_module|isEmptyObject|createFn|prop|removeChild|_sendHttpReq|factory|bgParams|bindEvent|loaderScreen|isDragged|clientX|clientY|xhr|w9c|mousemove|responseText|loaderImg|mouseMove|regexes|types|fragment|constructor|scriptElements|delete|phone|_clBroadcast|all|scY|createExpandable|offsetY|addListener||domready|u00c0|descendant|mouseup|radius|mouseUp|isinit|2px|no|attachEvent|offsetX|old|alpha|zoom|1000|android|bindReady|getBoundingClientRect|ajaxCreate|clearTimeout|isset|float|unit|getWH|next|bindLoader|animatelock|aTop|cssText|clickUrl|setPosition|minWidth|iphoneH|containerid|bodyBg|htmlBg|loaded|oldBgPosition|logoUrl|exec|scrollHandler|start|embedElement|newClass|1311302586|objectElement|_cl1|728|backgroundImage|bgReg|area|mspace|insertBefore|214748364|newDiv|setWidth||hasTrans|oParamElement|adHeight|npba|GET|aNodes|itunes|XMLHttpRequest|form|_el|tID|api|w9a|tags|isOverflow|space|removeHover|w8bab8766d|bgUrl|getSelection|mouseRange|move|image|mousedown|isShow|x1|offsetParent|320|getSize|min|refreshTimer|y0|x0|y1|throw|span|toolbar|utf|500|reqPage|showInnerHTML|charset|setRequestHeader|200|300|important|getPos|3j077fe6ad1b50B45|setBg|insertToolBar|swap|substr|ciUrl|getTime|wlmt|previousSibling|javascript|createTextNode|bannerPosition|fieldset|table||site|to|uFFFF_|Top|continue|boolean|minHeight|SymbianOS||bindScroll|setAbs|console|debugMode|serverName|setFixed|msie|windows|ipad|firefox|chrome|w_|Array|last|frameBorder|nextSibling|480|chkSize|wnp|endLoadingTimer|special|props|isXML|setAbsolute|inlineBlock|chkReg|childProcess|tagProcess|getElementById|idProcess|descendantProcess|classProcess|useSimpleDiv|selectorHandler|default|querySelectorAll|isVisible|abs|hasAttr|title|CLOSE|DOMContentLoaded|tabIndex|frameElement|reSet|doScroll|player|href|useFixAdt|ls1|blur|20px|useDefaultAdt|webkit|10000|w17f3a22ad|erro|paddingBottom|loadbar|solid|Msxml2|16px|clearInterval|tabindex|101||common|Microsoft|createRequest|loadHandler|Image|toString|redir|send|destUrl|wmodeReg|unScroll|paddingTop|doScrollLoader|_showBar|_minimizeToolbar|allowScriptAccess|FFFFFF|high|application|restore|aParams|focus|widget|handler|flashHandler|always|moz|quality|chkAsolute|3px|mini|center|maxHeight|overflowX|Bottom|compatMode|BackCompat|104|105|640|106|lastChild|tbody|htmlFor|useMap|usemap|colSpan|colspan|frameborder|vspace|150|nodeValue|input|button|30000|rowSpan|readOnly|readonly|offsetWidth|align||maxlength|maxLength|rowspan||cellSpacing|cellspacing|write|js|ms|clBroadcast|was|SCRIPT|_|uFFFF|minimizeBar|closeBar|_blank|tr|readystatechange|iterations|color|slice|td|getAgentCookie|showBar|setAgentCookie|header|bodyHeight|backgroundAttachment|outerHTML|repeat|1px|clone|backgroundRepeat|103|hasEvent|count|createDocumentFragment|onerror|ul|userAgent|symbian|alt|line|wm|twitter|styleswitcher|initial|focusin|102|log|black|3j077fe6ad1b50|wfb6e28986|with|enableClose|expandable|removeAllRanges|180|logoImgSrc|logoScript|rows|specified|substring|inID|hasOwnProperty|encodeURIComponent|absoluteNodes|control|Function|urlencoded|www|outID|POST|selection|empty|verticalAlign|baseline|textDecoration|2147483647|indent|allowTransparency|allowtransparency|hspace|marginWidth|marginHeight|scrolling|movie|scrollHeight|topleft|logoPos|gif|shockwave|scrollLeft|1000000|delivery|1006px|panel|singapore|iphoneScreenW|WF_getToolbarHeight|search|change|select|mouseleave|mouseenter|dblclick|submit|keydown|171|error|keyup|keypress|unload|focusout|fontWeight|lineHeight|styleFloat|20101215|WF_getNamespace|navigator|v1|backgroundPositionY|backgroundPositionX|png|WF_VERSION|base|cancelBubble|Width|Height|Left|HTML|detachEvent|BODY|scrollTo|meta|isPrototypeOf|slow|fast|ig|activeElement|borderBottom|innerWidth|mainAd|dev|number|removeEventListener|inner|stopPropagation|borderTop'.split('|'),0,{}))
}


I can block the resulting images and ads but can't hide the 90px of blank space on top of page. Is there any way to block this piece of shit earlier rather than later?

Will appreciate if you guys can give it a shot.
timo
 
Posts: 3
Joined: Tue Aug 09, 2011 8:22 pm

Re: Aggressive ISP injected/embedded scripts/ads blockable

Postby Gingerbread Man » Wed Aug 10, 2011 7:31 pm

I don't suppose getting a better ISP is an option?

The script appears to be first-party and to reference a path that is a random alphanumeric string of 16 characters. So you should be able to create a filter using regular expressions that will do the trick.
:arrow: adblockplus.org/en/filters#regexps

I've tested this and it should do what you want, but I'm providing it as-is, without any guarantees of any kind ;) Someone well-versed in regular expressions may provide you with a better filter.
Code: Select all
/\u002F[a-z0-9]{15}\u002F/$script,~third-party
Gingerbread Man
 

Re: Aggressive ISP injected/embedded scripts/ads blockable

Postby timo » Fri Aug 12, 2011 2:00 am

Thanks Gingerbread Man! Your little bit of regex magic killed it off very nicely. :D

Many long suffering Starhub ISP users from Singapore will love this!
timo
 
Posts: 3
Joined: Tue Aug 09, 2011 8:22 pm

Re: Aggressive ISP injected/embedded scripts/ads blockable

Postby Gingerbread Man » Fri Aug 12, 2011 5:32 am

You're welcome :)

I suppose I should mention I used hex instead of forward slashes only because I found them more readable. The following is equivalent to the above:
Code: Select all
/\/[a-z0-9]{15}\//$script,~third-party


It would be nice if someone knew how to make it more specific. The odds of false positives are a little high for my linking. For example, this filter would also block

http://www.example.com/photoalbums2011/harmless_script.js
User avatar
Gingerbread Man
 
Posts: 1339
Joined: Fri Aug 12, 2011 5:28 am

Re: Aggressive ISP injected/embedded scripts/ads blockable

Postby timo » Fri Aug 12, 2011 3:11 pm

Yes tightening it up a bit would be nice.

I was actually looking high and low for some form of system variables or escape sequences that can be used in a filter to represent the domain and path parts. Something like:

If url = http://www.w3.org/XML/2009/xml-names-errata
%domain% = http://www.w3.org
%path% = /XML/2009/xml-names-errata

and possibly allow a filter like this: %domain%/*/%path%

Anyhow, your regex filter is working beautifully, seeing it blocked over 500 hits in 1 day of speeded up browsing is really great, thanks again.
timo
 
Posts: 3
Joined: Tue Aug 09, 2011 8:22 pm

Re: Aggressive ISP injected/embedded scripts/ads blockable

Postby Gingerbread Man » Fri Aug 12, 2011 4:38 pm

timo wrote:I was actually looking high and low for some form of system variables or escape sequences that can be used in a filter to represent the domain and path parts.

There aren't any as far as I can see.
timo wrote:%domain% = http://www.w3.org

I don't see what good this would do. The filter is already restricted to first-party scripts. As for matching against the script target, you have an example that begins with a slash rather than the domain name:
Code: Select all
<script src='/8ua1082638cb741/XML/2009/xml-names-erratal'></script>

timo wrote:Anyhow, your regex filter is working beautifully, seeing it blocked over 500 hits in 1 day of speeded up browsing is really great, thanks again.

You're quite welcome.
User avatar
Gingerbread Man
 
Posts: 1339
Joined: Fri Aug 12, 2011 5:28 am

Re: Aggressive ISP injected/embedded scripts/ads blockable

Postby gingerbreadmansavedmybrowser » Mon Jan 16, 2012 6:30 pm

IT WORKS, GINGERBREADMAN <3 <3!!!

no more annoying starhub banners!
gingerbreadmansavedmybrowser
 


Return to Filters for Adblock Plus

Who is online

Users browsing this forum: Google [Bot] and 4 guests

cron