ISP Injecting Java Script into pages (XSS)

bgercken

My ISP sent me a new router that it wants me to install and so they started pestering me online with pop up dialogs stating the same. I assume that they are doing some sort of XSS at the edge inserting the code. I have captured the code that they inserted.

This is telling me that they can insert anything they want to into a browser page which seems like a pretty severe security vulnerability.

I am running pfSense and Suricata with blocking turned on but there is now way to determine that something changed if it is happening outside my network.

Any ideas on how to block this?

Thanks.
-bill

Screen Shot

Derelict

Use HTTPS.

tsmalmbe

https://www.troyhunt.com/heres-why-your-static-website-needs-https/

Adding to the obvious, but Troy has done some serious legwork here.

bgercken

Maybe there is some confusion here on my part.

This is occurring randomly on sites that I visit from my home network. I not hosting the site behind my firewall these are public sites that I am viewing and the ISP intercepts the content, inserts its javascript and then forwards the content to my browser. MIM if you will.

Is there a rule that I can add that would prevent this?

Edit: Looking through my browsing history, I realize that it does only occur for sites that are not secure. So it appears that they randomly track my destinations and wait for me to go to a http site. Still seems shady on their part.

Derelict

No. That is what HTTPS is for. A secure connection between you and the web server so the contents cannot be altered without detection.

Of course it's shady. That's why HTTPS was invented.

It's not hard to see when you are HTTP not HTTPS. The former is on port 80 and the latter on port 443.

bgercken

@derelict Yes I understand SSL/TLS. Was just surprised that the ISP feels that they can just inject content into a stream to facilitate what ever they are selling. In this case it appears that their intent is to just ensure the end user (me) is aware that they have online support links for the process etc. but it could easily be used for XSRF and the like. Also makes me feel like Big Brother is watching. Thanks for your feedback, it is appreciated.

johnpoz

They are doing it to bring "HELP" you - so clearly its OK ;) Like you reminding you to install their router they sent you..

Did you see what centurylink did to customers in Utah?

I would make sure you complain to anyone that you can complain to - the ISP, your local government.. The FCC maybe..

bgercken

@johnpoz - Hi I can't find anything describing the centurylink issue in Utah do you have a link or a reference? (Seems like there are lot of customer support complaints though.) Thanks!

johnpoz

sure here
https://arstechnica.com/tech-policy/2018/12/centurylink-blocks-internet-access-falsely-claims-state-law-required-it/
https://www.techdirt.com/articles/20181218/09105641255/broadband-isp-centurylink-is-blocking-users-internet-access-just-to-show-ad.shtml
https://www.pcmag.com/news/365531/centurylink-forced-utah-customers-to-view-ad-to-get-internet

bgercken

@johnpoz Wow! Thanks!

boobletins

Are you sure they're doing this with MITM-style injection and not DNS? Are you using DNS servers that you control? If not, I would start there.

If, as you say, you are seeing additional code inserted into html from 3rd party websites, then you're looking at various javascript blockers, a proxy that can strip content, etc. You wouldn't be able to stop the actual injection without encryption (integrity) as suggested above.

Have an example of the injected code?

If you have root access to the original router, you may be able to spoof/alter the MAC address as well (to mimic the new one)...

Or just install the new router...

bgercken

Really not sure how they did it. Their java script was inserted just before the closing body tag in the page. It does have a nice descriptive comment field that describes the purpose etc.

<script language="JavaScript" type="text/javascript">

// Copyright (C) 2015 Comcast Cable Communications, LLC
// Contact Us: http://customer.xfinity.com/contact-us/
// Intended use of this message is to display critical and time sensitive notifications to customers.
-- snip --
_ComcastAlert.go();
</script>

</body></html>

I saw the message several times that day but it has stopped for now.

The reason I don't want to install the new router is that it has an integrated AP which then does not allow me to see (monitor) any of the wireless traffic on my network. This is a broadband cable setup so I like having the traffic pass through my monitoring setup before it hits the firewall and then again before it hits the AP. I am going to see if I can just disable the onboard AP and continue to use my current setup etc.

Cheers.

Derelict

This post is deleted!

jimp

If your ISP is pulling shady shenanigans, you can:

1. Get a new ISP that doesn't engage in shenanigans
2. Use a VPN to tunnel past their shenanigans

/shenanigans