Circumvent Adblock using obfuscation, redirect and scripting

guestposter · Post by **guestposter** » Sat Feb 14, 2009 12:39 pm

I saw an ad enforcing technique on http://noscript.net that breaks adblock.
Even though I have filter "http://ads." URL that redirect to "http://ads.doclix.com/" are fetched. Is there a way to avoid this?

Here's an example of what happens on noscript.no and produces a Google ad in left side iframe:

REQUEST
http://noscript.net/MFFUQx5U;X1NcWUge;U ... E;Hl5VRB8=;
RESPONSE
Location: http://ads.doclix.com/adserver/serve/js ... cript.net/

REQUEST
http://ads.doclix.com/adserver/serve/js ... cript.net/
RESPONSE
Set-Cookie: JSESSIONID=0AB653B9049BBAC14C7341C897700EC7; Path=/

REQUEST
http://noscript.net/D25rfCFr;YGxjZnch;b ... gf3p/;IWV8;
RESPONSE
Location: http://ads.doclix.com/adserver/serve/js/ad_popup.js

REQUEST
http://pagead2.googlesyndication.com/pa ... script.net
RESPONSE
The ads Google

guestposter · Post by **guestposter** » Sat Feb 14, 2009 12:42 pm

As you see the main problem seems to be that response header "Location" is not intercepted and checked for blocking.

Adblock Plus Fan · Post by **Adblock Plus Fan** » Sat Feb 14, 2009 1:06 pm

guestposter wrote:Is there a way to avoid this?

For now there isn't. But it's a known issue as far as I know, maybe it'll be fixed some day...

Until then you can do something like this:

Code: Select all

|http://noscript.net/$script

and it should whack them all.

MonztA · Post by **MonztA** » Sat Feb 14, 2009 1:47 pm

Add

Code: Select all

noscript.net/k.js

or

Code: Select all

noscript.net/*;

but the first filter is better.

guestposter · Post by **guestposter** » Sat Feb 14, 2009 2:01 pm

I was not talking about this specific ad and how to get rid of it. I was using only using noscript.net to illustrate a specific technique that seems to be able to break Adblock in a very effective way.

The solution seems very simple: Also filter response header "Location:". I hope it is technically possible to do so with Adblock. Otherwise I think the effectiveness of Adblock may deteriorate over time as more sites discover this technique and start employing it.

Adblock Plus Fan · Post by **Adblock Plus Fan** » Sat Feb 14, 2009 2:20 pm

guestposter wrote:I hope it is technically possible to do so with Adblock.

It's a Firefox bug, but like I said Wladimir is already aware of it.

If widespread abuse is what it takes for the bug to gain priority then so be it. But in the end those kind of ads can still be blocked, and there are other features and fixes that also need attention...

guestposter · Post by **guestposter** » Sat Feb 14, 2009 3:18 pm

Ok. Thank you.

Is this the bug you refer to?

"HTTP redirects can bypass content policies"
https://bugzilla.mozilla.org/show_bug.cgi?id=431782

Wladimir Palant · Post by **Wladimir Palant** » Mon Feb 16, 2009 7:43 am

Yes, that's the one.

asdf · Post by **asdf** » Wed Feb 18, 2009 1:18 pm

Yuck. This bug does worry me. I really hope Firefox has it fixed soon.

It's actually interested me for a while. If you use the extension "requestpolicy," you have to allow requests from youtube.com to googlevideo.com to watch any youtube videos, yet filtering *googlevideo* in ABP does nothing.

If you use the "blocksite" extension, you can blacklist *googlevideo* in blacklist mode, or not include it in whitelist mode, and it has the same effect again. But stll, ABP can't block this bypass.

'Tis a shame. This bug has freakin' layers.

Even more interesting, there are some youtube videos that invoke a further request from googlevideo.com to 74.125.x.x. That's only one example. If you want to watch comedy central videos while using requestpolicy, you'll find even more concatenated requests. The power of a site to force you to watch ads, or as an exploit venue, is scary.

Circumvent Adblock using obfuscation, redirect and scripting

Circumvent Adblock using obfuscation, redirect and scripting

Re: Circumvent Adblock using obfuscation, redirect and scrip