h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

Wading through some of the weirder entries in the Guide to check that Pliny can display them all, I came across this:

Entry A7157531

What's really weird is its behaviour in Pliny. I haven't figured out how it works yet, or even exactly what's in the entry, as it seems to be designed to confuse whatever system you use to look at it.

If you're not in Pliny, this might work:

http://h2g2.com/entry/A7157531

That IS weird.

Never seen anything like it before

I thought it might be a virus or something...

Yeah, scripting like that always makes me leery.

Nuke that page from orbit, I say.

Hmmm... can't really make head or tail of it. Put it through the testAnumber thingie, and it gave me this, which meant nothing to me:

OK, wait, it's even odder than I thought, let me get a print screen, brb

Print screen:

http://a-picture-per-day.blogspot.se/2013/07/httph2g2.html

Normally, you'd only get a bunch of GuideML code, but this one has a window at the bottom, referring to 'Line 270, line position 42'

My guess, is someone snipped a bit of random code from some other web page hoping it might display something.

Either that, or someone's cat was "coding" while they were away from their keyboard.

I still say nuke it from orbit.

I like the cat-coding idea. Willem's just been complaining that his cat's signing him up for things using the touchscreen, and one of our cats turned my screen upside down one day...

Cats make really good hackers.

Someone was testing to see how good the system is at preventing XSS (Cross-Site Scripting) attacks. They found it wasn't good enough: the system is too trusting, and assumes that the data is clean. This example is benign: it's just a test; however, the same idea could be used to do nasty things like steal cookies (and hence log-in data) of everyone who views the page.

You could consider that to be a nasty hole in the system. In fact, it's not that nasty, as code like that could no longer be put into the system in the first place, so we only need to worry about code that's already there.

TRiG.

The Test function shows the code that exists. If that code has syntax errors*, the Test function also shows a bunch of error messages. That's what you're seeing there. (In Brunel, it shows the error messages in black text on a black background, so you just get a lot of empty space.)

TRiG.

* NOTE: Only old entries can have syntax errors. The system does not allow the creation of new entries with syntax errors**.

** Actually, plain-text entries are still stored internally as XML, and they can contain syntax errors. This doesn't matter, as they are interpreted as plain text, not as GuideML, so the errors are irrelevant. However, the syntax errors still produce error messages when you use the Test function.

Thanks, TRiG. I thought it was something like that. Although I still don't understand how it works. If I did, I could watch out for other examples of it.

If the angle brackets in the title are required, then I'll certainly spot it.

Well, you really need to look out for SCRIPT tags. (There are some complicated ways of disguising them, mind you, but I don't know that any of these would work with GuideML.)

XSS is basically exploited by putting javascript somewhere where the manager of a website doesn't expect it. That'll usually be in a SCRIPT tag, but it might also be in an attribute on another tag (ONCLICK, ONMOUSOVER, ONKEYUP, etc. (basically, ON*)).

This probably won't show in Pliny, because it assumes anything in angle brackets is a smiley, and if it can't find a smiley of that name it shows nothing, but here's an example:



TRiG.

(And no, that need not necessarily be in the title.)

Hmm. There are 1362 entries in the Guide with "Script" in them. That would be a lot of searching. Could be done, though.

In goo you just see the coding



">alert('xss')&

As if someone forgot to set the entry to "guideml"

It's also interesting that clicking on the author of the entry leads to nowhere.

Yes, no clue when the Researcher signed up. Gnomon has a way of finding that though.