Is this javascript a security risk?
Hi Experts,
I inadvertently clicked on an email attachment that contained something like this (I have deleted a lot of the characters, just in case):
<script language="javascript">document.write( unescape( '%3C%48%45%41%44%3E%0D%0A%..............0D%0A%3C%6D%65%74%61%20%48' ) );</script>
I ran it through a decoder, giving this:
<script language="javascript"><HEAD>
<meta HTTP-EQUIV="REFRESH" content="0.1; url=https://xyz.online/1/?e=my-email@some-domain.com">
</HEAD></script>
Does execution of that attachment pose any sort of security risk?
Regards,
Leigh
Last Comment
Dave Baldwin
It's certainly not desireable. Did it show your real email address?
ASKER
Yes, it showed my actual email address.
Dave - what are the consequences?
Dave - what are the consequences?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi Dave,
Thanks for confirming my suspicions.
Regards,
Leigh
Thanks for confirming my suspicions.
Regards,
Leigh
To add to what Dave said.
Basic rule. Everything is a potential malicious attack until proven otherwise - and even then be careful.
If you find JavaScript with document.write - don't trust it
If you find JavaScript using the eval or unescape commands or any other command that deals with what appears to be obfuscated code - don't trust it.
Unfortunately the times we live in people will go to great lengths to reap benefit at your expense while finding increasingly devious ways to hide what they are doing.
Unless there is significant benefit or requirement for you to expose yourself to code from an unknown / untrusted source -
don't touch it - and even then be suspicious.
Basic rule. Everything is a potential malicious attack until proven otherwise - and even then be careful.
If you find JavaScript with document.write - don't trust it
If you find JavaScript using the eval or unescape commands or any other command that deals with what appears to be obfuscated code - don't trust it.
Unfortunately the times we live in people will go to great lengths to reap benefit at your expense while finding increasingly devious ways to hide what they are doing.
Unless there is significant benefit or requirement for you to expose yourself to code from an unknown / untrusted source -
don't touch it - and even then be suspicious.
JavaScript
JavaScript is a dynamic, object-based language commonly used for client-side scripting in web browsers. Recently, server side JavaScript frameworks have also emerged. JavaScript runs on nearly every operating system and in almost every mainstream web browser.
127K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
