As promised, here is the POC that I had been holding on to until it got leaked by one of my students and I finally got around to posting a clean copy of it on my blog, so if you want to check it out, go for it. The concept is so simple, makes you wonder what else HTML/CSS can do? But, although nothing earth shattering, just another way to bypass ads from being blocked, if the source is determined it could have implications that those pesky ads, we can't block them anymore. Image if a giant like Google decided to go this route?
This is a very benign and simple example, but creating ANY image/dimension using image plotting tools will be very easy. I did this using a simple loop heuristic, but that can easily be adapted into a program that can take any ad image, pixel it like this and totally bypass all filtering. Furthermore, you can embed the URL of the ad into the style element as well (which I did not do in this example) so to make it clickable too; now image the horror
Anyway, enough said - Have fun: Use HTML/CSS to Defeat Adblock Plus and Similar
POC: Bypassing Adblock Plus or Similar Image Blockers
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
POC: Bypassing Adblock Plus or Similar Image Blockers
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Comodo_Dragon/17.1.0.0 Chrome/17.0.963.38 Safari/535.11
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
The POC is easily defeated by View > Page Style > No Style. which in effect disables CSS, as you said at the POC site.
This is not unusual for me. When sites go way too far on the graphics, purple-and-pink-checked b/g, not enough contrast between text and b/g, etc., I use the above on such sites. Becomes like the old days, black text on white b/g, blue links. Navigates a little more strangely, but gets rid of whatever it is that is so annoying.
So yes, there is a way to prevent such things built right into Fx, although you're right, ABP won't do it. If you want something done completely ....
This is not unusual for me. When sites go way too far on the graphics, purple-and-pink-checked b/g, not enough contrast between text and b/g, etc., I use the above on such sites. Becomes like the old days, black text on white b/g, blue links. Navigates a little more strangely, but gets rid of whatever it is that is so annoying.
So yes, there is a way to prevent such things built right into Fx, although you're right, ABP won't do it. If you want something done completely ....
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
Unless you recreate this 90s-styles using tables and the bgcolor attribute.Tom T. wrote:The POC is easily defeated by View > Page Style > No Style. which in effect disables CSS, as you said at the POC site.
I believe The GIMP used to had a export feature for converting images into the "HTML format" which would create "images" in exactly such a format. I didn't quite understood what this was for, especially considering that (at this time modern) Netscape 4 crashed immediately when viewing documents created from images larger than a 16x16 icons this way.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
Guardian's POC, *as written*, was defeated. If you have another POC to post, that's another issue.dhouwn wrote:Unless you recreate this 90s-styles using tables and the bgcolor attribute. .Tom T. wrote:The POC is easily defeated by View > Page Style > No Style. which in effect disables CSS, as you said at the POC site.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
There you go: http://dl.dropbox.com/u/2130149/smiley.htmlTom T. wrote:Guardian's POC, *as written*, was defeated. If you have another POC to post, that's another issue.
But apparently I was wrong in assuming that setting "page style" to "no style" does only mean that styling using CSS is deactivated, so using this method such an ad could still be "defeated" in Firefox but not IE (where turning off page styling it apparently works like I expected it).
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
Indeed.dhouwn wrote:There you go: http://dl.dropbox.com/u/2130149/smiley.htmlTom T. wrote:Guardian's POC, *as written*, was defeated. If you have another POC to post, that's another issue.
But apparently I was wrong in assuming that setting "page style" to "no style" does only mean that styling using CSS is deactivated, so using this method such an ad could still be "defeated" in Firefox
Who uses IE?but not IE (where turning off page styling it apparently works like I expected it).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
You are using TABLE elements which is just fine and valid, but less "transparent" and also NO ONE makes ads THAT big to cover the WHOLE page, so it would reasonably be smaller but just the same your huge ass smiley loaded just fine and didn't crash anything, so still could work. Also given ABP is a Fx addon, the point was moot on IE or anything else but as Tom already pointed out, you could also disable the same CSS/styling functionality in Fx too, just like IE.dhouwn wrote:There you go: http://dl.dropbox.com/u/2130149/smiley.htmlTom T. wrote:Guardian's POC, *as written*, was defeated. If you have another POC to post, that's another issue.
But apparently I was wrong in assuming that setting "page style" to "no style" does only mean that styling using CSS is deactivated, so using this method such an ad could still be "defeated" in Firefox but not IE (where turning off page styling it apparently works like I expected it).
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Comodo_Dragon/17.3.0.0 Chrome/17.0.963.46 Safari/535.11
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
I managed to do it with ABP by pressing Ctrl-Shift+I and creating the ruleTom T. wrote: So yes, there is a way to prevent such things built right into Fx, although you're right, ABP won't do it.
majormike.us##SPAN[style="position: absolute; top: 200px; left: 50px;"]
It's not blocked, though, only hidden.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
Anything using a CSS tag can be "hidden" that's not the same as blocking them and given the method by which they are done, it can cause conflict with main content if the ad uses tags that match the page they are embedded into rather than doing what I did and make them unique. If I had not made them unique for the sake of the POC, it would cause you to block any legitimate SPAN item on the page fitting the dimensions too. Giving them class/id information makes it easier but they can be removed and it would make it harder. Of course, still even if you manged, you are hiding, not blocking it, which might be good enough for some, but then calling it AdBLOCK would be a bit of a misnomer.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Re: POC: Bypassing Adblock Plus or Similar Image Blockers
One of the advantages of actual blocking, as with NS, is saving the bandwidth, d/l time, CPU and RAM, etc.tlu wrote:It's not blocked, though, only hidden.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27