ISP Injecting Java Script into pages (XSS)

Derelict · Dec 22, 2018, 10:05 AM

Use HTTPS.

tsmalmbe · Dec 22, 2018, 11:00 AM

https://www.troyhunt.com/heres-why-your-static-website-needs-https/

Adding to the obvious, but Troy has done some serious legwork here.

bgercken · Dec 22, 2018, 1:52 PM

Maybe there is some confusion here on my part.

This is occurring randomly on sites that I visit from my home network. I not hosting the site behind my firewall these are public sites that I am viewing and the ISP intercepts the content, inserts its javascript and then forwards the content to my browser. MIM if you will.

Is there a rule that I can add that would prevent this?

Edit: Looking through my browsing history, I realize that it does only occur for sites that are not secure. So it appears that they randomly track my destinations and wait for me to go to a http site. Still seems shady on their part.

Derelict · Dec 22, 2018, 2:02 PM

No. That is what HTTPS is for. A secure connection between you and the web server so the contents cannot be altered without detection.

Of course it's shady. That's why HTTPS was invented.

It's not hard to see when you are HTTP not HTTPS. The former is on port 80 and the latter on port 443.

bgercken · Dec 22, 2018, 2:34 PM

@derelict Yes I understand SSL/TLS. Was just surprised that the ISP feels that they can just inject content into a stream to facilitate what ever they are selling. In this case it appears that their intent is to just ensure the end user (me) is aware that they have online support links for the process etc. but it could easily be used for XSRF and the like. Also makes me feel like Big Brother is watching. Thanks for your feedback, it is appreciated.

johnpoz · Dec 22, 2018, 3:10 PM

They are doing it to bring "HELP" you - so clearly its OK ;) Like you reminding you to install their router they sent you..

Did you see what centurylink did to customers in Utah?

I would make sure you complain to anyone that you can complain to - the ISP, your local government.. The FCC maybe..

bgercken · Dec 22, 2018, 5:02 PM

@johnpoz - Hi I can't find anything describing the centurylink issue in Utah do you have a link or a reference? (Seems like there are lot of customer support complaints though.) Thanks!

johnpoz · Dec 22, 2018, 5:49 PM

sure here
https://arstechnica.com/tech-policy/2018/12/centurylink-blocks-internet-access-falsely-claims-state-law-required-it/
https://www.techdirt.com/articles/20181218/09105641255/broadband-isp-centurylink-is-blocking-users-internet-access-just-to-show-ad.shtml
https://www.pcmag.com/news/365531/centurylink-forced-utah-customers-to-view-ad-to-get-internet

bgercken · Dec 22, 2018, 6:30 PM

@johnpoz Wow! Thanks!

boobletins · Dec 23, 2018, 8:40 PM

Are you sure they're doing this with MITM-style injection and not DNS? Are you using DNS servers that you control? If not, I would start there.

If, as you say, you are seeing additional code inserted into html from 3rd party websites, then you're looking at various javascript blockers, a proxy that can strip content, etc. You wouldn't be able to stop the actual injection without encryption (integrity) as suggested above.

Have an example of the injected code?

If you have root access to the original router, you may be able to spoof/alter the MAC address as well (to mimic the new one)...

Or just install the new router...

bgercken · Dec 24, 2018, 1:02 PM

Really not sure how they did it. Their java script was inserted just before the closing body tag in the page. It does have a nice descriptive comment field that describes the purpose etc.

<script language="JavaScript" type="text/javascript">

// Copyright (C) 2015 Comcast Cable Communications, LLC
// Contact Us: http://customer.xfinity.com/contact-us/
// Intended use of this message is to display critical and time sensitive notifications to customers.
-- snip --
_ComcastAlert.go();
</script>

</body></html>

I saw the message several times that day but it has stopped for now.

The reason I don't want to install the new router is that it has an integrated AP which then does not allow me to see (monitor) any of the wireless traffic on my network. This is a broadband cable setup so I like having the traffic pass through my monitoring setup before it hits the firewall and then again before it hits the AP. I am going to see if I can just disable the onboard AP and continue to use my current setup etc.

Cheers.

Derelict · Dec 24, 2018, 7:34 PM

This post is deleted!

jimp · Dec 26, 2018, 2:48 PM

If your ISP is pulling shady shenanigans, you can:

Get a new ISP that doesn't engage in shenanigans
Use a VPN to tunnel past their shenanigans

/shenanigans