Going through a bunch of JavaScript I do not trust and it has a ton of web address comments like citations but likely some bad stuff in there too. What could be swapped with the address to instead act as a local tripwire or trap?
Just a mild curiosity for scripting stuff.
You must log in or register to comment.
Do you have an example of what you have and what you want?
Assuming it is a quoted string for simplicity.
..."http://foo.bar/"...
$ sed -i 's/\/.*\"/injection/g'That is flawed in practicality, but gets the point across and will result in
http:injection. It would take more convoluted escapes to replace the ‘//’.I was thinking there has to be a way to use the address like a printf like situation. However someone tries to use an address, it just hits a local trip wire. Pass that to anything you don’t want to connect on the internet. It is super lazy and hacky, but I don’t really care. I use an external firewall device with DNS whitelist, so I block everything anyways. Flagging stuff just makes it easy to say something to others that might benefit.
I must be missing something here, because sed should be able to do it. Something like:
echo '"http://foo.bar/"' | sed 's|"http[^"]*|"http:injection|' "http:injection"Yeah, I could do it. The question is how to redirect a web address to do something useful locally. Like maybe setup an Apache server or something to capture and log any such attempts regardless of how the address is called.
If it’s a link to an external site, redirecting to local won’t really do anything useful. I still feel like I’m missing something. I’ll give it a last try.
If I start a local super basic webserver:
python3 -m http.server 8000 2>&1 | tee -a logfile.txtso that I’m running a server on localhost, port 8000 creating
logfile.txt, I can do something like this on the file:sed 's|"http://\([^/]*\)|"http://0.0.0.0:8000//1|'which should rewrite a url from:
http://foo.bar/testing/linkto
http://0.0.0.0:8000/foo.bar/testing/linkNow if you click on that link, it won’t do anything except give you an error, but:
$ cat logfile.txt 127.0.0.1 - - [27/Mar/2026 00:12:49] code 404, message File not found 127.0.0.1 - - [27/Mar/2026 00:12:49] "GET /foo.bar/testing/link HTTP/1.1" 404 -so you’d now have a log of all attempts which would be easy to clean up.
I’m not really understanding what it is you are concerned about.
If it’s that the Javascript might be malicious, then a browser should be able to sandbox it. IIRC — and you probably want to confirm this, if you’re actively concerned — the Firefox security model is that if you open a file locally, it has local access, but if you open it from a webserver, it doesn’t. Like, Javascript running in your browser downloaded from a web server shouldn’t have local filesystem access.
If you want to examine some code, but don’t want the code to phone home in some way, I’d remember that at least DNS is probably also a potential side channel. I’d maybe run the stuff in a VM without network access, if I were concerned about that.
