javascript 为什么 Cloudfront 在我的 Web 应用程序中加载脚本?(我不使用它)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9197918/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why is Cloudfront loading scripts in my web app? (I don't use it)
提问by Andrew Ensley
I manage a secured PHP/MySQL web app with extensive jQuery use. Today, a strange error popped up in our app's logs:
我管理着一个广泛使用 jQuery 的安全 PHP/MySQL Web 应用程序。今天,我们应用程序的日志中弹出一个奇怪的错误:
JS Error: Error loading script:
https://d15gt9gwxw5wu0.cloudfront.net/js/_MY_WEB_APP_DOMAIN_/r.js
We are not using Amazon's Cloudfront CDN in our app. When I go to the URL that failed to load, these are the only contents:
我们没有在我们的应用程序中使用亚马逊的 Cloudfront CDN。当我转到加载失败的 URL 时,这些是唯一的内容:
if(typeof _GPL.ri=='function'&&!_GPL.isIE6){_GPL.ri('_GPL_r')}_GPL.rl=true;
The user's user agent string is:
用户的用户代理字符串是:
Mozilla/5.0 (Windows NT 6.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Please note: I am not the user who triggered this error. It was one of our thousands of users who triggered it. I do not have control over the client machine.
请注意:我不是触发此错误的用户。触发它的是我们成千上万的用户之一。我无法控制客户端机器。
Does anyone know what's going on here? Is this some sort of XSS attack?
有谁知道这里发生了什么?这是某种 XSS 攻击吗?
** Update**
**更新**
It appears I'm not the only one who has discovered this anomaly on their website. I found this report of the same exact behavior, which seems to indicate the code is harmless, but still no answers as to where it came from.
看来我不是唯一一个在他们的网站上发现这种异常的人。我发现了这个完全相同行为的报告,这似乎表明代码是无害的,但仍然没有关于它来自哪里的答案。
In addition, I found this pastebin with similar code, that appears to be some sort of advertising script. Again, not terribly helpful.
另外,我发现这个带有类似代码的 pastebin,它似乎是某种广告脚本。同样,不是非常有帮助。
** Update 2**
**更新 2**
More context: The webapp uses several third party jQuery plugins but no third party analytics of any kind. All scripts are hosted on our own server, and an audit of all our code provides no matches for "cloudfront".
更多上下文:webapp 使用了几个第三方 jQuery 插件,但没有任何类型的第三方分析。所有脚本都托管在我们自己的服务器上,对我们所有代码的审核没有提供与“cloudfront”匹配的结果。
This app has been in production for about 4 years, and this is the first and only instance of any activity like this. It has not happened before or since, so I doubt I'll be able to reproduce it.
此应用程序已投入生产大约 4 年,这是此类活动的第一个也是唯一一个实例。它之前或之后都没有发生过,所以我怀疑我是否能够重现它。
What I'm interested in is if this is some sort of attack. If it is, I want to know how to plug the hole it's trying to exploit if it's not plugged already.
我感兴趣的是这是否是某种攻击。如果是,我想知道如果它尚未插入,如何插入它试图利用的漏洞。
回答by Steffen Opel
Disclaimer: I'm not a security analyst/expert, your issue simply sparked my interest ;)
免责声明:我不是安全分析师/专家,您的问题只是激发了我的兴趣;)
Warning: While I share the initial conclusion that the code itself is probably harmless, the underlying technology can most certainly be (ab)used for malicious intents as well, so please take care when investigating this yourself.
警告:虽然我的初步结论是代码本身可能是无害的,但底层技术肯定也可以(ab)用于恶意意图,所以在自己调查时请小心。
Analysis
分析
You already found the relevant evidence yourself - searching further I found another pastebin drop, which is more readable, so I'm using this for the explanation (though at first sight the other one would allow this as well after formatting).
你自己已经找到了相关的证据——进一步搜索我发现了另一个pastebin drop,它更具可读性,所以我用它来解释(尽管乍一看,另一个在格式化后也允许这样做)。
The snippet features JavaScript fragments with the following major functionality:
该代码段包含具有以下主要功能的 JavaScript 片段:
Line 13 initializes the variable
_GPLwith all sorts of items for later use, e.g. various constants`, helper functions, browser compatibility stuff and actual payloads, for example:Line20 defines an empty
basdeCDN, line 21 defines afCDN, which happens to be the one in question (d15gt9gwxw5wu0.cloudfront.net)line 261 defines a function
removeScripts(),which in turn usesfindScript()from line 266, further accompanied byinsertJS()on line 277 - their respective intend is obviousline 270 defines function
loadDomainRules(), which seems to be the one generating the URL you have found in your logs - see appendix below for the code snippet- Deduction:Even without further evidence gathered below, the naming and functionality strongly hints on
r.jsbeing a JavaScript file serving custom JavaScript specifically assembled/generated for the domain at hand
- Deduction:Even without further evidence gathered below, the naming and functionality strongly hints on
line 100 defines a function
loadGeo(), which references some kind of an ad server indeed (ads2srv.com) - see appendix below for the code snippetline 368 finally defines a function
i(), which provides the most definite clues regarding the likely originof all this, namely the notion of some Yontoo Clientand Yontoo API- see appendix below for the code snippet
第 13 行
_GPL用各种项目初始化变量以供以后使用,例如各种常量、辅助函数、浏览器兼容性和实际有效负载,例如:第 20 行定义了一个空的
basdeCDN,第 21 行定义了一个fCDN,这恰好是有问题的那个(d15gt9gwxw5wu0.cloudfront.net)第 261 行定义了一个函数
removeScripts(),,该函数依次使用findScript()第 266 行,进一步伴随insertJS()第 277 行 - 它们各自的意图是显而易见的第 270 行定义了函数
loadDomainRules(),它似乎是生成您在日志中找到的 URL 的函数-有关代码片段,请参阅下面的附录- 推论:即使没有在下面收集进一步的证据,命名和功能强烈暗示它
r.js是一个 JavaScript 文件,为手头的域专门组装/生成的自定义 JavaScript 提供服务
- 推论:即使没有在下面收集进一步的证据,命名和功能强烈暗示它
第 100 行定义了一个函数
loadGeo(),它确实引用了某种广告服务器 ( ads2srv.com) - 有关代码片段,请参阅下面的附录第 368 行最终定义了一个函数
i(),它提供了关于所有这一切可能起源的最明确线索,即一些Yontoo Client和Yontoo API的概念- 有关代码片段,请参见下面的附录
Corollary
推论
What's it all about?
这到底是怎么回事?
The extracted clues Yontoo Clientand Yontoo APIeasily lead to Yontoo, an Application Platform that allows you to control the websites you visit everyday, i.e. it sounds like a commercialized version of Userscripts.org, see What is a Yontoo App?:
提取的Yontoo Client和Yontoo API线索很容易引到Yontoo,一个可以让你控制你每天访问的网站的应用平台,听起来像是Userscripts.org的商业化版本,参见什么是Yontoo App?:
Yontoo is a browser add-on that customizes and enhances the underlying website
Where Can I Use It?
Yontoo works on any site on the Web, although the functionality comes from separate applications called Yontoo Apps which provide specific functionalities depending on what site you are on.
[emphasis mine]
Yontoo 是一个浏览器插件,用于自定义和增强底层网站
我可以在哪里使用它?
Yontoo 适用于 Web 上的任何站点,尽管该功能来自称为 Yontoo Apps 的单独应用程序,这些应用程序根据您所在的站点提供特定功能。
[强调我的]
Now, looking at the current listings in their App Marketeasily demonstrates, why this might be used for questionablenontransparent advertizing as well for example, all the trust signs and seals in their footer notwithstanding.
现在,查看其App Market中的当前列表很容易证明,为什么这也可能用于可疑的不透明广告,例如,尽管在其页脚中使用了所有信任标志和印章。
How did it end up in your logs?
它是如何出现在你的日志中的?
Another quote provides more insight into the functionality and how it might have yielded the issue you've encountered:
另一个引用提供了对功能以及它如何产生您遇到的问题的更多见解:
Yontoo[...] is a browser add- on that creates virtual layers that can be edited to create the appearance of having made changes to the underlying website. [...] If you see a need for an application or tool over a website, then you are free to create!
Yontoo[...] 是一个浏览器插件,它创建可以编辑的虚拟层,以创建对底层网站进行更改的外观。[...] 如果您在网站上看到对应用程序或工具的需求,那么您可以自由创建!
So somebody apparently has visited your site and created some custom domain rules for it by means of the Yontoo client (if it actually allows this for end users) or one of the available apps(the snippet used for analysis references the Drop Down Dealsapp in line 379 for example), which triggered the creation of d15gt9gwxw5wu0.cloudfront.net/js/_MY_WEB_APP_DOMAIN_/r.jsto store these rules for reuse on next site visit in turn.
因此,显然有人访问了您的网站并通过 Yontoo 客户端(如果它实际上允许最终用户使用)或可用应用程序之一(用于分析的代码段引用了Drop Down Deals应用程序)为它创建了一些自定义域规则例如第 379 行),这触发了创建d15gt9gwxw5wu0.cloudfront.net/js/_MY_WEB_APP_DOMAIN_/r.js以存储这些规则,以便在下一次访问站点时重复使用。
Due to some security flaw somewhere (see conclusion below) this URL or a respective JavaScript snippet must have been injected into JavaScript code of your application (e.g. by means of Cross-site scripting (XSS)indeed), and triggered the log entry error at some point in turn.
由于某处的一些安全漏洞(见下面的结论),这个 URL 或相应的 JavaScript 片段必须已注入到您的应用程序的 JavaScript 代码中(例如确实通过跨站点脚本(XSS)),并在以下位置触发了日志条目错误一些点反过来。
Conclusion
结论
As mentioned upfront already, I share the initial conclusion that the code itself is probably harmless, although the underlying technology can most certainly be (ab)used for malicious intents as well due to its very nature of mocking with client side JavaScript, i.e. a user allows code from a 3rd party service to interact with sites (and especially data) he uses and trusts every day - your case is the apparent evidence for something gone wrong already in this regard.
正如前面已经提到的,我分享了初步结论,即代码本身可能是无害的,尽管底层技术肯定也可以(ab)用于恶意意图,因为它的本质是模拟客户端 JavaScript,即用户允许来自 3rd 方服务的代码与他每天使用和信任的站点(尤其是数据)进行交互 - 您的案例是在这方面已经出现问题的明显证据。
I haven't investigated the security architecture (if any) of Yontoo, but wasn't able to find any information regarding this important topic immediately on their website either (e.g. in their Supportsection), which is pretty much unacceptable for a technology like this IMHO, all the trust signs and seals in their footer notwithstanding.
我还没有调查过 Yontoo 的安全架构(如果有的话),但也无法立即在他们的网站上(例如在他们的支持部分)找到关于这个重要主题的任何信息,这对于像这样的技术来说几乎是不可接受的恕我直言,尽管所有信任标志和印章都在其页脚中。
On the other hand, users do install 3rd party scripts from e.g. Userscripts.orgall the time of course, not the least for fine tuning the user experience on Stack Exchangeas well ;)
另一方面,用户确实一直在安装来自例如Userscripts.org 的3rd 方脚本,这不仅是为了微调 Stack Exchange 上的用户体验;)
Please make your own judgment accordingly!
请根据情况自行判断!
Appendix
附录
Below you can find the code snippets referenced in the analysis (I've been unable to inline them within the lists without breaking the layout or syntax highlighting):
您可以在下面找到分析中引用的代码片段(我无法在不破坏布局或语法突出显示的情况下将它们内联到列表中):
loadDomainRules()
加载域规则()
function () {
if (location.host != "") {
var a = location.host.replace(RegExp(/^www\./i), "");
this.insertJS(this.proto + this.fCDN + "/js/" + a + "/r.js")
}
this.loaded_domain_rules = true
}
loadGeo()
加载地理()
function () {
var cid = this.items.e6a00.get("geo.cid");
var updatetime = this.items.e6a00.get("geo.updatetime");
if (!cid || (cid && updatetime && (Math.floor((new Date()).getTime() / 1000) - parseInt(updatetime)) >= 259200)) {
this.insertJS(((this.proto == 'https://') ? 'https://s.' : 'http://') + 'ads2srv.com/tb/gc.php?json&cb=_GPL.setGeoAndGo')
} else {
this.vars.cid = this.items.e6a00.get("geo.cid");
this.vars.rid = this.items.e6a00.get("geo.rid");
this.vars.ccid = this.items.e6a00.get("geo.ccid");
this.vars.ip = this.items.e6a00.get("geo.ip");
this.loadCC();
this.loadDomainRules()
}
}
i()
一世()
function () {
if (typeof YontooClient != 'undefined') YontooClient = {};
if (typeof yontooAPI != 'undefined') yontooAPI = {};
if (typeof DealPlyConfig != 'undefined') {
DealPlyConfig.getBaseUrl = function () {
return "https://d3lvr7yuk4uaui.cloudfront.net/items/blank.js?"
};
DealPlyConfig.getCrownUrl = function () {
return "https://d3lvr7yuk4uaui.cloudfront.net/items/blank.js?"
}
}
this.rm(this.ri, ['dropdowndeals', 'Y2LeftFixedCurtain', 'gbdho', 'bdca', 'dealply-toast-1', 'pricegong_offers_iframe', 'SF_VISUAL_SEARCH', 'batAdRight', 'batAdBottom', 'batAdMiddle_0', 'batAdMiddleExt1_0', 'batAdRight2', 'invisiblehand-iframe', 'scTopOfPageRefinementLinks', 'sf_coupon_obj']);
this.rm(this.rc, ['yontoolayerwidget', 'dealply-toast', 'imb-ad']);
this.rm(this.ric, [
['productbox', 'g'],
['related-searches', 'related-searches-bing']
]);
this.rm(this.rtn, ['MIVA_AdLink', 'itxtrst', 'kLink', 'FAAdLink', 'IL_AD', 'skimwords-link'])
}
回答by Bjorn
I found an iFrame as well in my drupal 7 website. It was loaded into the site by enabling the module of sharaholic.
我在我的 drupal 7 网站上也发现了一个 iFrame。它是通过启用 sharaholic 模块加载到站点中的。
