Cenzic 232 Patent
Paid Advertising
web application security lab

Adblockplus Workaround

I’ll probably regret this post at some point, and I have to caveat this by saying I love adblockplus (it’s a dream). However, it is also flawed. Whenever you do straight string compare you are risking missing something. Well it just so happens, that the string comparison required when you are looking up something like ypn-js.overture.com you are missing one obvious way the client can request the JavaScript from the page - using the IP address. But that alone isn’t magic. Anyone can swap out an IP address… and by the way, that alone won’t work because of the way Overture’s ads are built. Not only do they use ypn-js.overture.com for the initial JS lookup, but also for the subsequent iframe that contains the ads themselves.

Okay, easy enough… first we take the JavaScript and look for any variables that are set by the Overture JavaScript. We find one and then we check to see if it has been set. If it has, you can see that the ad is already there. If it hasn’t, the ad is not there, and you can write your own work-around. The reason we do this in this order is to make sure we don’t end up with two ads on the page (and we’d rather use the DNS if we can since that has built in IP failover).

Here’s the demo. This could be very valuable to anyone who is plagued by their users who turn off ads in the SEO/SEM crowd. Hint, hint, whitelist this domain, so I don’t have to mess with you guys. ;)

12 Responses to “Adblockplus Workaround”

  1. Wladimir Palant Says:

    Come on, there are better ways than that to mangle the address. This one only added one more to my list of IP-based filters.

    Btw, I am not blocking Google ads but having Overture as well is just too much.

  2. RSnake Says:

    Hahah, I could have bet money you’d respond to that. Yes, there are many many more ways. I was just cluing people into the fact that there was more than zero ways. ;)

    Thanks, Wladimir! Like I said, I love the product. I’ve got no beef with it, I swear - except my own selfish revenue concerns, that is.  ;)

  3. Wladimir Palant Says:

    Btw, I think that’s a non-issue. What you achieve by it is that the general subscriptions won’t cover your ads. That gives you a chance but if you use it to force annoying ads users will still block them (at some point these filters might even find their way into general subscriptions again). If you don’t let people block them (it is possible) you will only hurt your revenue even more. I wrote about it in http://adblockplus.org/blog/mozilla-hurting-google-by-recommending-adblock-plus

  4. RSnake Says:

    No, I get it, and I personally wasn’t trying to force users to see my ads (as you can see the layout of my page has not changed - I was kidding at best). I completely see the value in adblockplus, I was simply pointing out that it can be circumvented by ultra trival means - let alone really complex things like using random CGI proxies, etc….

    Sure consumers can then block it again, but that’s a different conversation. Some people (myself included) use adblockplus not just to remove ads, but remove anything annoying or potentially dangerous from the page. If it can be worked around, that becomes only an obfuscation rather than any real protection.

  5. Wladimir Palant Says:

    I am afraid that Adblock Plus is not a security solution and doesn’t offer real protection - that’s a fact. It helps somewhat by blocking third-party scripts that increase the chance of a particular web site being contaminated, it lets you block known attack vectors to some extent, but it generally works after the fact and won’t protect you against something you have never seen before.

    On the other hand, what could help security is having a general rule like “*$object” (it doesn’t depend on string comparison ;)) and adding exception rules only for the wanted objects. I use this kind of setup in Thunderbird, there I block all remote content with only 8 exceptions. In the browser blocking all objects but the explicitly allowed ones might also be a good choice but so far I have been too lazy to actually do it.

  6. RSnake Says:

    Well stop downloading movies and get started on it!

    Seriously though, I think you have built nearly a perfect framework for this kind of thing. If I could block on more complex regex in files, I think this would definitely become far more powerful (if not slower).

  7. Marcin Says:

    And that is why I like NoScript :)

    https://addons.mozilla.org/firefox/722/
    http://noscript.net/

  8. John @ NIST.org Says:

    Wladmir, I’m not so sure about your statement. I run adblockplus on all of my computers but I often forget that it is on. In fact I didn’t even remember that Rsnake’s site was suppose to have ads. Since I want to support him I’ve whitelisted his site. I know this isn’t the right place for suggestions to your app but perhaps an option to auto-whitelist bookmarked sites. I’m not sure I would want all of my bookmarks whitelisted but some people might. Just a thought.

  9. Wladimir Palant Says:

    John, not sure which statement you mean but have a look at http://adblockplus.org/en/whitelist_bookmarks. As to doing it automatically - I think that very few people would want this.

  10. Wladimir Palant Says:

    Rsnake - speaking of ads… I don’t have anything against Whitehat Security but their ad is annoying. Are you sure you want to display animated ads on this site?

  11. RSnake Says:

    Well everyone turns off the other ads. ;) No but seriously, ad revenue is one of the few things that keeps this site going. If you want to stop gifs from animating you can easily do that in Firefox:

    * In the URL bar, type in “about:config”
    * In the filter bar type “anim”
    * Double click on image.animation_mode and in the window that pops up change the setting from “normal” to either “none” or “once”.

    I personally have it set to once. I like to see it but not twice - it hurts performance in Firefox anyway for some reason.

  12. Jim Says:

    Here’s how I’m thinking to use this, detect if the variable is there, or if javascript is enabled, if one is not then serve a different kind of website with less features and goodies, I will have right at the top a notice that they are viewing a special version of the site because they are blocking simple, low bandwidth text ads (never used anything else yet half of my visitors don’t see ads now thanks to adblockplus, and at times like this, when sites like winsite are out of business, when jumbo is now a tiny caricature of what it used to be, survival is the name of the game folks, I have busted my ass for the last 15 years to create this site, blood and tears, and I’ll fight back anyway I can. And I can, all my 8000+ pages are dynamic anyway so it should a piece of cake, and I’ll make sure this has no negatives with SEO.