He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.
Are you saying you actually put up a link to that scammers website? 
Topic: narayan - attempted code injection - page 2. (Read 6593 times)
To protect against this, I think it's certainly worth putting ads in iframes on a different origin - e.g. bitcointalkusercontent.org
Will
Will
LOL, thanks!
I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.
On this topic, I remember a while back there was an image loading exploit that IE had a few years back, but it was wholly unreliable as an exploit till someone figured out they could use CSS to heap-spray just prior to the image load, thus making it work every time. I forget all the details, but yeah, CSS (or at least the way IE handles it) is far from perfectly safe.
That said, they really only should be able to load things under the user's credentials, but on a Windows box that's typically "good enough" to do some damage.
I wonder what he would have put there...
mad skiddys 
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon 
Somebody sounds mad.
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon
Whoa, they always return with this same "you busted me, now I will ddos you!!!". Do some legit stuff.. Pays better
I'd suggest that you also implement some protections just in case something clever get past your eyes.
beyond some programmatic 'xss' matching, one idea would be to iframe the html/css ads on another domain, so even if they do go rogue the browser sandboxing will rescue you.
I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.
beyond some programmatic 'xss' matching, one idea would be to iframe the html/css ads on another domain, so even if they do go rogue the browser sandboxing will rescue you.
I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon
Jesus, that guy plays a lot of dice.ETA @ deleted post: lol, yeah - I bet you just RELAYED them.
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon
He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.
They're safe when someone is manually reviewing them. It actually wouldn't be all that difficult to automatically verify that ads are OK: CSS can never be a security risk, and a small whitelist of known-safe HTML tags and attributes would prevent other attacks. I may add automatic verification if I ever automate the ad system, though some sort of manual approval will always be required because the ad content and size also need to be checked. (Automatically checking an ad's actual screen size seems difficult.)
HTML/CSS ads are much smaller byte-wise; they can be seen by text browsers, search engines, and the visually-impaired; people can deal with them more naturally (copy/paste, etc.); they can do things that images can't do; and ad blockers can't block them as easily. They are clearly superior to image ads in almost every way.
Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...
They're safe when someone is manually reviewing them. It actually wouldn't be all that difficult to automatically verify that ads are OK: CSS can never be a security risk, and a small whitelist of known-safe HTML tags and attributes would prevent other attacks. I may add automatic verification if I ever automate the ad system, though some sort of manual approval will always be required because the ad content and size also need to be checked. (Automatically checking an ad's actual screen size seems difficult.)
HTML/CSS ads are much smaller byte-wise; they can be seen by text browsers, search engines, and the visually-impaired; people can deal with them more naturally (copy/paste, etc.); they can do things that images can't do; and ad blockers can't block them as easily. They are clearly superior to image ads in almost every way.
Off to my next account
just out of curiosity, do you break even as a semi-professional scammer with little to no success?
Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...
Quite embarrassing.
Good catch.
Good catch.
Off to my next account
Here's an ad that was sent to me:
Sent to the address!
Here is my CSS code:
Here is my CSS code:
Code:
.minefieldadm {width:620px;height:40px;overflow:hidden;font-family:Verdana;font-size:14px;border:1px solid #000;display:inline-block;background: #a3d802; background: -moz-linear-gradient(top, #a3d802 0%, #11a301 3%, #8ac916 6%, #f0b7a1 34%, #8c3310 50%, #752201 93%, #bf6e4e 98%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#a3d802), color-stop(3%,#11a301), color-stop(6%,#8ac916), color-stop(34%,#f0b7a1), color-stop(50%,#8c3310), color-stop(93%,#752201), color-stop(98%,#bf6e4e)); background: -webkit-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); background: -o-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);background: -ms-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); background: linear-gradient(to bottom, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#a3d802', endColorstr='#bf6e4e',GradientType=0 );}
.minefieldshader {font-size: 155%;color: #FFFFFF;text-shadow: 0px 0px 8px rgba(0, 0, 0, 1);background: #b4e391; background: -moz-linear-gradient(45deg, #b4e391 0%, #149b51 22%, #75e01d 27%, #369b14 62%, #5cdb1c 69%, #5cdb1c 86%, #b4e391 100%); background: -webkit-gradient(linear, left bottom, right top, color-stop(0%,#b4e391), color-stop(22%,#149b51), color-stop(27%,#75e01d), color-stop(62%,#369b14), color-stop(69%,#5cdb1c), color-stop(86%,#5cdb1c), color-stop(100%,#b4e391));background: -webkit-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%); background: -o-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);}
.minefieldshader {font-size: 155%;color: #FFFFFF;text-shadow: 0px 0px 8px rgba(0, 0, 0, 1);background: #b4e391; background: -moz-linear-gradient(45deg, #b4e391 0%, #149b51 22%, #75e01d 27%, #369b14 62%, #5cdb1c 69%, #5cdb1c 86%, #b4e391 100%); background: -webkit-gradient(linear, left bottom, right top, color-stop(0%,#b4e391), color-stop(22%,#149b51), color-stop(27%,#75e01d), color-stop(62%,#369b14), color-stop(69%,#5cdb1c), color-stop(86%,#5cdb1c), color-stop(100%,#b4e391));background: -webkit-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%); background: -o-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);}