Wednesday, November 24, 2021

Efficient removal of Unicode hidden characters that backdoors your Javascript code

From the great post The Invisible JavaScript Backdoor – Certitude Blog and Invisible characters could be hiding backdoors in your JavaScript code  - bleepingcomputer.com invisible characters one could also introduce backdoors using Unicode characters that look very similar “Invisible Character Attacks” and “Homoglyph Attacks“. This technique has been around awhile using the have Unicode bidirectional mechanism (Bidi). As the article states, that messing with Unicode to hide vulnerable or malicious code is not a new idea (also using invisible characters) and Unicode inherently opens up additional possibilities to obfuscate code. We believe that these tricks are quite neat though, which is why we wanted to share them. In our experience non-ASCII characters are pretty rare in code. It might therefore be a good idea to disallow any non-ASCII characters. As article states, we mostly see non-ASCII characters being substituted with normalized ASCII characters (e.g. ä → ae, ß → ss) or removal them completely. But how ? 

Some self promotion, some hard times my friends.

My Clipboard PlainText Powertool provides easy text transformations for these substitutions for code de-obfuscation for Javascript (or any languages) to reveal  “Invisible Character Attacks” and “Homoglyph Attacks“. 

Here some transformations you can perform in 1-click; 

  1. Paste ANSI text (ISO-8859-1, Western languages), moins les caractères de contrôle && non imprimable
  2. Paste Unicode universal text (all languages), replacing all non-printable characters with ♦
  3. Paste Unicode universal text (all languages), striping all non-printable characters (most general)
  4. Paste plain ASCII text with normalized substitutions. eg. Æ ⇒ AE, ß⇒ss, è⇒e
  5. Paste plain ASCII text, striping bad control characters && formatting (most restrictive)
  6. Paste plain text ASCII,  extended range (Latin-1 Supplement) translated. eg. Ã⇒A(tilde)


Get  Clipboard PlainText Powertool  comes with 200+ clip transformations and 20 individual PowerTools features Notepad2 (everything you wanted in Notepad).
Posted by metadataconsulting (profile) at 7:00 AM 0 comments

Tuesday, October 26, 2021

2021 Pro Tip : Convert OneDrive Share Link to Download Link

Here's how to convert OneDrive Share Link to a instant download link. This follows from my original post in 2014 when I first discovered this trick.


  1. Click on desired file and click Share (at Top) to reveal Copy link button. Click. 



  2. This will reveal Microsoft shortened URL to the file. Copy.



  3. Goto https://unshorten.me/ or similar service and paste link e.g.
    https://1drv.ms/u/s!AsRPggdGwZFcjWhqmIY9K_tzLnQI?e=1o1vOQ
    to get expanded URL.




  4. Copy destination URL and change /redir? to /download?

    For example, 

    https://onedrive.live.com/redir?resid=5C91C14607824FC4!1768&authkey=!AGqYhj0r-3MudAg&e=1o1vOQ

    to 

    https://onedrive.live.com/download?resid=5C91C14607824FC4!1768&authkey=!AGqYhj0r-3MudAg&e=1o1vOQ


  5. Use this link for an instant direct download of the shared file. This buy passes the preview pane in OneDrive.com. Done.




Posted by metadataconsulting (profile) at 6:00 AM 2 comments

Tuesday, September 14, 2021

Phishing UPS email with subject "DO NOT REPLY | from UPS® Canada | Review your automatic delivery"

For the record, this is UPS phishing email attempt that is recently going around, with subject "DO NOT REPLY | from UPS® Canada | Review your automatic delivery"

What to do?  Report them, goto bottom of page. 


From : from UPS® Canada <alex_diva_03@hotmail.com>
Subject : DO NOT REPLY | from UPS® Canada | Review your automatic delivery | ...










PHISHING LINKs;

Hover over button
1. http://trilotus.co.za/mass/Subhost.aspx.html - South Africa

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take further 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Posted by metadataconsulting (profile) at 7:30 AM 0 comments
Subscribe to: Posts (Atom)