0

So I'm getting complaints sometimes that users are being taken to phishing and or virus-spreading sites without clicking on anything.
I think this is caused by some malicious google ads triggering window.location and redirecting people. Is it possible to detect such action so I could log ad source?

P.S> srry just to clarify -> is it possible to also detect the url where is user being taken so we could discern malicios rediredcts from non-malicious?

Dannyboy
  • 1,963
  • 3
  • 20
  • 37
  • Are you rendering any string input from users? That could be the source of your problem if not properly escaped. I don't think it's because of Google ads. – zurfyx Jan 05 '17 at 14:38
  • @zurfyx — What makes a stored XSS attack more likely than the malicious ad hypothesis the OP has presented? – Quentin Jan 05 '17 at 14:39
  • @Quentin I hope Google analyses its ads before displaying them – zurfyx Jan 05 '17 at 14:41
  • @zurfyx — You'd hope. They probably do. Plenty of malicious ones still seem to slip through. Especially on mobile. – Quentin Jan 05 '17 at 14:43
  • @zurfyx no I don't render any user input. This what Im talking about: https://productforums.google.com/forum/#!msg/chrome/HcXgFFaO9WU/SG6vrONDAAAJ. I've reported to google but they can't fix it. – Dannyboy Jan 05 '17 at 14:43
  • Possible duplicate of [Best way to detect when a user leaves a web page?](http://stackoverflow.com/questions/147636/best-way-to-detect-when-a-user-leaves-a-web-page) – Heretic Monkey Jan 05 '17 at 15:15
  • @MikeMcCaughan srry to clarify -> for troubleshooting this I'd need to find out the destnation. The url where user is being taken as there might be many legitimate redirects: like user enters new url or clicks on the normal ad etc. – Dannyboy Jan 05 '17 at 16:18
  • The answer to that is no. Think about it from a privacy/security point of view: why would I want some random site to know where I'm going when I'm leaving their site? – Heretic Monkey Jan 05 '17 at 16:21

2 Answers2

2

You could quickly send some info about the page being redirected using onbeforeunload. You can either decide to block the redirection with a message asling a confirmation from the user, or just send to a backend some data about what happened.

window.onbeforeunload = function(event) {
  // Send sync ajax call with event data
  // Return a message to ask confirmation
  return 'You are being redirected, please call the police'
};
floribon
  • 19,175
  • 5
  • 54
  • 66
  • is it possible to get a new destination address though? Because therewill be many legitimate uses as well afaik. – Dannyboy Jan 05 '17 at 14:44
0

To stop redirection you can try using onbeforeunload event

https://developer.mozilla.org/en-US/docs/Web/API/WindowEventHandlers/onbeforeunload

window.onbeforeunload = function(e) {
  var dialogText = 'Dialog text here';
  e.returnValue = dialogText;
  return dialogText;
};
Lukas Liesis
  • 24,652
  • 10
  • 111
  • 109