Going through a bunch of JavaScript I do not trust and it has a ton of web address comments like citations but likely some bad stuff in there too. What could be swapped with the address to instead act as a local tripwire or trap?

Just a mild curiosity for scripting stuff.

  • 𞋴𝛂𝛋𝛆@lemmy.worldOPEnglish
    2·
    4 天前

    Assuming it is a quoted string for simplicity.
    ..."http://foo.bar/"...
    $ sed -i 's/\/.*\"/injection/g'

    That is flawed in practicality, but gets the point across and will result in http:injection. It would take more convoluted escapes to replace the ‘//’.

    I was thinking there has to be a way to use the address like a printf like situation. However someone tries to use an address, it just hits a local trip wire. Pass that to anything you don’t want to connect on the internet. It is super lazy and hacky, but I don’t really care. I use an external firewall device with DNS whitelist, so I block everything anyways. Flagging stuff just makes it easy to say something to others that might benefit.

    • sin_free_for_00_days@sopuli.xyzEnglish
      2·
      3 天前

      I must be missing something here, because sed should be able to do it. Something like:

      echo '"http://foo.bar/"' | sed 's|"http[^"]*|"http:injection|'
"http:injection"
      • 𞋴𝛂𝛋𝛆@lemmy.worldOPEnglish
        1·
        3 天前

        Yeah, I could do it. The question is how to redirect a web address to do something useful locally. Like maybe setup an Apache server or something to capture and log any such attempts regardless of how the address is called.

        • sin_free_for_00_days@sopuli.xyzEnglish
          2·
          3 天前

          If it’s a link to an external site, redirecting to local won’t really do anything useful. I still feel like I’m missing something. I’ll give it a last try.

          If I start a local super basic webserver:

          python3 -m http.server 8000 2>&1 | tee -a logfile.txt

          so that I’m running a server on localhost, port 8000 creating logfile.txt, I can do something like this on the file:

          sed 's|"http://\([^/]*\)|"http://0.0.0.0:8000//1|'

          which should rewrite a url from:

          http://foo.bar/testing/link

          to

          http://0.0.0.0:8000/foo.bar/testing/link

          Now if you click on that link, it won’t do anything except give you an error, but:

          $ cat logfile.txt
127.0.0.1 - - [27/Mar/2026 00:12:49] code 404, message File not found
127.0.0.1 - - [27/Mar/2026 00:12:49] "GET /foo.bar/testing/link HTTP/1.1" 404 -

          so you’d now have a log of all attempts which would be easy to clean up.

          • 𞋴𝛂𝛋𝛆@lemmy.worldOPEnglish
            1·
            2 天前

            Awesome. Now how would you strace/ptrace the active process correlated with the return packet?

            This is way past my pay grade in the territory of edge-of-abstract – understanding.

            See one of my problems is that the malicious software is running across Python, JavaScript, and a ton of dubious packages scattered throughout the machine. It is all interconnected and using unconventional operations. Right now I am just removing a package one and a time and seeing what breaks. I will likely miss how things are interconnected. I am not at all familiar with this type of thing, and learning as I go. The system used unshare, manually created no-label packets with all records obfuscated, used a hidden daemon function in systemd, and no-account to operate outside of namespaces.