Going through a bunch of JavaScript I do not trust and it has a ton of web address comments like citations but likely some bad stuff in there too. What could be swapped with the address to instead act as a local tripwire or trap?
Just a mild curiosity for scripting stuff.
You must log in or register to comment.
Do you have an example of what you have and what you want?
Assuming it is a quoted string for simplicity.
..."http://foo.bar/"...
$ sed -i 's/\/.*\"/injection/g'That is flawed in practicality, but gets the point across and will result in
http:injection. It would take more convoluted escapes to replace the ‘//’.I was thinking there has to be a way to use the address like a printf like situation. However someone tries to use an address, it just hits a local trip wire. Pass that to anything you don’t want to connect on the internet. It is super lazy and hacky, but I don’t really care. I use an external firewall device with DNS whitelist, so I block everything anyways. Flagging stuff just makes it easy to say something to others that might benefit.
I must be missing something here, because sed should be able to do it. Something like:
echo '"http://foo.bar/"' | sed 's|"http[^"]*|"http:injection|' "http:injection"Yeah, I could do it. The question is how to redirect a web address to do something useful locally. Like maybe setup an Apache server or something to capture and log any such attempts regardless of how the address is called.
If it’s a link to an external site, redirecting to local won’t really do anything useful. I still feel like I’m missing something. I’ll give it a last try.
If I start a local super basic webserver:
python3 -m http.server 8000 2>&1 | tee -a logfile.txtso that I’m running a server on localhost, port 8000 creating
logfile.txt, I can do something like this on the file:sed 's|"http://\([^/]*\)|"http://0.0.0.0:8000//1|'which should rewrite a url from:
http://foo.bar/testing/linkto
http://0.0.0.0:8000/foo.bar/testing/linkNow if you click on that link, it won’t do anything except give you an error, but:
$ cat logfile.txt 127.0.0.1 - - [27/Mar/2026 00:12:49] code 404, message File not found 127.0.0.1 - - [27/Mar/2026 00:12:49] "GET /foo.bar/testing/link HTTP/1.1" 404 -so you’d now have a log of all attempts which would be easy to clean up.
Awesome. Now how would you strace/ptrace the active process correlated with the return packet?
This is way past my pay grade in the territory of edge-of-abstract – understanding.
See one of my problems is that the malicious software is running across Python, JavaScript, and a ton of dubious packages scattered throughout the machine. It is all interconnected and using unconventional operations. Right now I am just removing a package one and a time and seeing what breaks. I will likely miss how things are interconnected. I am not at all familiar with this type of thing, and learning as I go. The system used unshare, manually created no-label packets with all records obfuscated, used a hidden daemon function in systemd, and no-account to operate outside of namespaces.
I’m not really understanding what it is you are concerned about.
If it’s that the Javascript might be malicious, then a browser should be able to sandbox it. IIRC — and you probably want to confirm this, if you’re actively concerned — the Firefox security model is that if you open a file locally, it has local access, but if you open it from a webserver, it doesn’t. Like, Javascript running in your browser downloaded from a web server shouldn’t have local filesystem access.
If you want to examine some code, but don’t want the code to phone home in some way, I’d remember that at least DNS is probably also a potential side channel. I’d maybe run the stuff in a VM without network access, if I were concerned about that.
I’m in the process of dismantling software I will never trust or update again and coming across all kinds of sketchy stuff. There is this Python program called Sentry_SDK that is very concerning. Along with several others. It appears to be packaged with most offline AI stuff and is some of the most authoritarian nonsense I have seen. I have air gapped the computer and do not have a package installed like prettier to maybe make the JavaScript readable, and it is enormous. There are many pages that are in the 10k lines plus range.
I already found a place in the back end that is trying to send packets with major obfuscation. The process is preloaded as listening, with every measure taken to prevent discovery of its origin. So that is fun too. I will likely reformat and start over after I have had my fun and saved what I wish to save.
