Skip navigation.
Home

delchi's blog

A safer way to monitor Javascript in a web page

Recently Val asked me to look over a html file that contained encoded data that was decoded by javascript.

It sent me on a mission to find a way to redirect javascript output to a console rather than to a browser window.

As always, firefox is your friend. I found this snippet on borngeek.com, tested it , and it works like a charm. Once you make the required changes to firefox, just edit the hostile javascript replacing " document.write() " with " dump() " and the output is sent to a console window.

Logging to the Standard Console An alternative method of logging debug information is available through the standard console mechanism. Before this method can be used, several modifications to the browser must be made. First, we need to add a new browser preference. In the URL bar in Firefox, type about:config and press enter. Right click in the list control and select the New ยป Boolean menu item to create a new boolean preference. Give the preference a name of browser.dom.window.dump.enabled and set the value to true.

The next step is to add the "-console" command line parameter to your Firefox startup shortcut. Using this parameter will cause the standard output console window to appear each time you run Firefox. Once this has been done, and Firefox has been started, any output produced by the dump() function will appear in this console window. The dump() function works just like the standard JavaScript alert() function, so the syntax is similar.

Snort Rules for Detecting Dasher, sdbot, and bad netblocks

alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (content:"rain357"; nocase; msg:"[OFFENSIVE COMPUTING]Dasher variant phoning home to IRC server";sid:66600001;rev:1)

alert tcp $HOME_NET 5262 -> $EXTERNAL_NET any (flags:S;msg:"[OFFENSIVE COMPUTING]Dasher Variant SYN scanning home";sid:66600002;rev:1)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider for WMF exploit";sid:66600003;rev:1;)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider downloading sdbot05b.jpg for WMF exploit";content:"sdbot05b.jpg";nocase;sid:66600004;rev:1;)

Dasher Variant Traffic, Known WMF provider, and traffic to bad netblocks

alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (content:"rain357"; nocase; msg:"[OFFENSIVE COMPUTING]Dasher variant phoning home to IRC server";sid:66600001;rev:1)

alert tcp $HOME_NET 5262 -> $EXTERNAL_NET any (flags:S;msg:"[OFFENSIVE COMPUTING]Dasher Variant SYN scanning home";sid:66600002;rev:1)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider for WMF exploit";sid:66600003;rev:1;)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider downloading sdbot05b.jpg for WMF exploit";content:"sdbot05b.jpg";nocase;sid:66600004;rev:1;)

Syndicate content