Courtesy of fravia's searchlores.org
June 1999, part of the remove banners section of the anti-advertisement lab.
About Banners
By TeRR0RNauT
Most banners are quite basic in design. The usual method is to either
require a user to have some java-script in his/her page or automatically
add it when index.html is downloaded.
I'll start this essay with a standard banner example, Xoom.
Xoom has an irritating Banner bar which is automatically added
to each page. To counter this banner it is important to understand
how it works. What xoom does is add a frame ontop of your own page.
This can be fixed in a quite easy way with a little java-script.
<script language="java-script">
if (top != self )
{
top.location.href = "http://..."
}
</script>
This script first checks if it's loaded as the topmost document.
which it isn't because of the xoom banner. Then it puts another
page in the top frame. My first thought was to just reload the
index.html, but that won't work because xoom will just put
another banner ontop of that which will cause an infinite loop.
So the best solution is to put this code in your index.html
<script language="java-script">
top.location.href = "http://..."
</script>
There is no top check because we already know that we aren't on top.
The only thing that needs to be done is put another page ( not index.html )
on top.
I know that this first part is quite easy and has been done a
million times before that's why I'll continue with a far more
interesting target & solution.
Redirectors are quite handy, because they hide your true url and
because they allow you to move your page around without the visitors
ever noticing. I first had a redirector at txe.org but they have been down
for ages now so I started looking for another one. Which I found
at tsx.org. They provide a free service. But if you want them to
hide your url ,( i.e. put a frame with "blabla.tsx.org" as location
ontop of your page ), they'll show a popup-banner.
I started by looking at the java-script code for the banner.
<script language="java-script">
<!--
var useHeight = 105;
if (document.screen) { useHeight = screen.availHeight }
var bannerX = 5; var bannerY = useHeight - 100;
window.open('/frame/index.cfm','tsxwindowXXX', <------- 999 posibilities
'resizeable=no,scrollbars=no,width=600,height=47,innerWidth=600,innerHeight=47,
titlebar=no,screenX='+bannerX+',screenY='+bannerY+',left='+bannerX+',top='+bannerY);
function stopError() { return true; }
window.onfiltered= stopError;
//-->
</script>
With java-script it's possible to close popup-banners but there's a catch.
To close a window you'll first have to define/open it with it's name as a reference.
This is no problem if the window allready exists but if it doesn't then a new window
will be openend.
<script language="java-script">
<!--
popup = window.open(popupURL,popupname);
popup.close()
//-->
</script>
So if the window name is randomized then you'll have to open a
lot of windows, which makes this method quite unfeasable.
Then I had a thought and looked at their update page.
At this update page you can configure various settings of the
redirector. Two settings are interesting, the keywords and Description tags.
Which translate into the following in the final redirect frame.
<META NAME="Keywords" Confiltered="">
<META NAME="Description" Confiltered="">
The idea is to put html-code into these fields which will
disable the banner. But if you disable the code after these
tags then you'll have no frames as well so you'll have to put your
frames code into this tag. The result should look somewhat like this :
<META NAME="Description" Confiltered=""></head><frameset rows="100%,*" border="0" frameborder="0" framespacing="0" framecolor="#000000"><frame src=""></frameset><body></body></html><"> <--- End of Content Tag
The content tag ^^ ^^ ^^ ^^ ^^ ^
||Close head Start Frames End Frames || End with open bracket
|| End HTML
||
Close content tag
The two most important things are the close content trick and
the final open bracket. Because the final open bracket the rest of
the page will be seen as between brackets, and therefore will not be
displayed or executed.
When you try to set the content tags to this string you'll notice
a problem. You can only enter 30 chars. Which is too little for a nice frameset.
But I noticed that this 30 char max was defined in the html form.
Forms are a way of entring information into a html page which can then
be sent to some cgi on a server. Because the max was defined in the form
it should be changeable. So I made a local copy and set the max to 255.
The only problem with a local copy is that the result will be sent to yourseld
so you'll have to edit the <base> tag , and maybe change a few relative
URL's.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>TSX: Host Update</TITLE>
<--- insert this here
<BASE href="http://www.tsx.org/">
</HEAD>
<BODY BGCOLOR="#333333" TEXT="#FFFFFF" LINK="#3399FF" VLINK="#3366FF">
<P ALIGN="CENTER"><CENTER>
<TABLE CELLPADDING=8 CELLSPACING=8 BORDER=0>
<TR><TD WIDTH=164 ALIGN="CENTER" VALIGN="TOP">
<A HREF="/home.html">
<IMG SRC="logo.gif" WIDTH=164 HEIGHT=198 BORDER=0 ALT="TSX The Technosite Exchange"></A>
</TD><TD ALIGN="LEFT" VALIGN="TOP">
<FORM METHOD="POST" ACTION="update.cfm?Code=Process">
<--- change to
<FORM METHOD="POST" ACTION="http://www.tsx.org/update.cfm?Code=Process">
<INPUT TYPE="hidden" NAME="HostName" VALUE="terr0rnaut">
<INPUT TYPE="hidden" NAME="URL_required" VALUE="Please enter the URL">
<INPUT TYPE="hidden" NAME="Password_required" VALUE="Please enter your Password">
<INPUT TYPE="hidden" NAME="Owner_required" VALUE="Please enter the Owner's Name">
<INPUT TYPE="hidden" NAME="Email_required" VALUE="Please enter email address">
<H1>Host Update </H1>
<TABLE>
<TR><TD BGCOLOR="#666666"><B>HostName</B></TD>
<TD></TD></TR>
<TR><TD BGCOLOR="#666666"><B>URL</B></TD>
<TD><INPUT TYPE="text" NAME="URL" VALUE="" SIZE=30 MAXLENGTH=150></TD></TR>
<TR><TD BGCOLOR="#666666"><B>Owner</B></TD>
<TD><INPUT TYPE="text" NAME="Owner" VALUE="" SIZE=30 MAXLENGTH=50></TD></TR>
<TR><TD BGCOLOR="#666666"><B>Email</B></TD>
<TD><INPUT TYPE="text" NAME="Email" VALUE="" SIZE=30 MAXLENGTH=50></TD></TR>
<TR><TD BGCOLOR="#666666"><B>Password</B></TD>
<TD><INPUT TYPE="text" NAME="Password" SIZE=20 VALUE="" MAXLENGTH=50></TD></TR>
<TR><TD COLSPAN=2> </TD></TR>
<TR><TD BGCOLOR="#669966" VALIGN="TOP"><B>SiteHide™</B></TD>
<TD><INPUT TYPE="radio" NAME="Popup" VALUE="1" Checked > On<BR>
<INPUT TYPE="radio" NAME="Popup" VALUE="0" > Off</TD></TR>
<TR><TD BGCOLOR="#666666" VALIGN="TOP"><B>Adult</B></TD>
<TD><INPUT TYPE="radio" NAME="Adult" VALUE="1" > Yes<BR>
<INPUT TYPE="radio" NAME="Adult" VALUE="0" Checked > No</TD></TR>
<TR><TD COLSPAN=2> </TD></TR>
<TR><TD BGCOLOR="#669966" VALIGN="TOP"><B>Title</B></TD>
<TD><INPUT TYPE="text" NAME="Title" MAXLENGTH=50 SIZE=30 VALUE=""></TD></TR>
<TR><TD BGCOLOR="#669966" VALIGN="TOP"><B>Keywords</B></TD>
<TD><INPUT TYPE="text" NAME="Keywords" MAXLENGTH=50 SIZE=30 VALUE=""></TD></TR>
<TR><TD BGCOLOR="#669966" VALIGN="TOP"><B>Description</B></TD>
<TD><INPUT TYPE="text" NAME="Description" MAXLENGTH=255 SIZE=30 VALUE=""></TD></TR>
<--- change to
<TD><INPUT TYPE="text" NAME="Description" MAXLENGTH=255 SIZE=255 VALUE=""></TD></TR>
<TR><TD COLSPAN=2> </TD></TR>
<TR><TD BGCOLOR="#666699"><B>StartPage</B></TD>
<TD>
<INPUT TYPE="text" NAME="HomePage" VALUE="" SIZE=30 MAXLENGTH=150>
</TD></TR>
<TR><TD COLSPAN=2> </TD></TR>
<TR><TD BGCOLOR="#666666"> </TD>
<TD><INPUT TYPE="submit" VALUE="Update"></TD></TR>
</TABLE>
</FORM>
</TD></TR>
</TABLE>
</CENTER></P>
</BODY>
</HTML>
I loaded this page into my browser, changed the Description field
and pressed the update button ..It worked .
This is possible because TSX doesn't filter html chars from the content fields
and because they don't validate the length of the content fields.
I hope you have learned something, I certainly had a lot of
fun reversing TSX's banner code. And remember that this is not illegal.
I merely prefer rather wierd content fields, and their banner code isn't removed.
The browser just doesn't execute it anymore.
GreetZ TeRR0RNauT.
(c) 2000: [fravia+], all rights reserved