#community-help

Discussion on Potential Typesense Javascript Attacks

TLDR John expressed concern about potential Typesense Javascript attacks. Kishore Nallan suggested they were likely scrapers, while Harpreet and Jason discussed the mechanics and potential sources of these supposed attacks.

Powered by Struct AI

3

33
31mo
Solved
Join the chat
Jul 05, 2021 (31 months ago)
John
Photo of md5-7a0ab48aa8979a59e1d8c3919797c1f8
John
03:11 PM
Has someone already seen attacks on his typesense Javascript? It's unbelievable the number of attacks we got since we are live!
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
03:12 PM
Can you please clarify what you mean by an attack?
John
Photo of md5-7a0ab48aa8979a59e1d8c3919797c1f8
John
03:12 PM
Like GET /quadros-decorativos/%3C?php%20echo%20$this-%3EgetSkinUrl();%20?%3Ejs/typesense/search.js
03:12
John
03:12 PM
Looking in the weblogs
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
03:12 PM
You mean scrapers/crawlers?
John
Photo of md5-7a0ab48aa8979a59e1d8c3919797c1f8
John
03:13 PM
Well, could this URL be a from a crawler?
03:13
John
03:13 PM
It's from an iPhone actually
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
03:13 PM
Yes, I think so. They are probably scraping your site. If it's an ecommerce site, probably for competitive intelligence.

The user agent etc. are usually spoofed.
03:14
Kishore Nallan
03:14 PM
You can just block the originating IP subnet in your firewall.
Harpreet
Photo of md5-745d880d794220d9f0fb9ade17c6b861
Harpreet
04:12 PM
How is /quadros-decorativos/%3C?php%20echo%20\$this-%3EgetSkinUrl();%20?%3Ejs/typesense/search.js actually working?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
04:13 PM
Yeah I think it is just a coincidence . It is not Typesense specific.
Harpreet
Photo of md5-745d880d794220d9f0fb9ade17c6b861
Harpreet
04:14 PM
Interesting regardless 🙂
04:18
Harpreet
04:18 PM
John If you don't mind telling, could you tell me what the response was?
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
04:37 PM
URL decoding that shows:

/quadros-decorativos/<?php echo \$this->getSkinUrl(); ?>js/typesense/search.js

So I think someone's just trying to check if PHP code can be executed via the URL by fetching a JS asset... Doesn't look Typesense specific.

1

04:38
Jason
04:38 PM
In my past experience, I've also seen automated security scanners check for vulnerabilities this way

1

John
Photo of md5-7a0ab48aa8979a59e1d8c3919797c1f8
John
07:13 PM
OK Jason interesting!
07:14
John
07:14 PM
Do you remember which security scanner?
07:14
John
07:14 PM
Although it must not be, because the origin IP changes quite a bit
07:14
John
07:14 PM
I am analysing the case more now
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:15 PM
There are many security scanning tools out there. The ones I've used are intruder.io, detectify, qualys
John
Photo of md5-7a0ab48aa8979a59e1d8c3919797c1f8
John
07:15 PM
OK
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:16 PM
That said, these are platforms that companies usually sign up for to find vulernabilities in their own platforms. It is possible for someone to use these tools to scan random websites looking for vulnerabilities to exploit
John
Photo of md5-7a0ab48aa8979a59e1d8c3919797c1f8
John
07:16 PM
Harpreet response is 404

1

07:16
John
07:16 PM
Jason yes, sure...
07:38
John
07:38 PM
I am seeing as well SOOOOOOO many requests from http://ahrefs.com/robot/ - seems like one that's crazy!
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:40 PM
That's an SEO ranking monitoring tool
John
Photo of md5-7a0ab48aa8979a59e1d8c3919797c1f8
John
07:42 PM
Would you leave it alone?
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:47 PM
If you're not using ahrefs yourself, then might as well block it? You could control it via robots.txt though: https://ahrefs.com/robot
07:53
Jason
07:53 PM
Actually, I'm going to take that back. Ahrefs is pretty popular, and is not malicious, and is used by many marketers. So before deciding to block it (if at all) you want to make sure that no one on the marketing side is using it to monitor your own site already.
John
Photo of md5-7a0ab48aa8979a59e1d8c3919797c1f8
John
08:38 PM
OK Jason, it's just crazy, look at this
08:38
John
08:38 PM
This is for the last 5 days only!
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
08:43 PM
Ahrefs really likes your site!
08:44
Jason
08:44 PM
Apparently it's the second largest crawler of the web after google. SEMRush is another SEO monitoring tool

Typesense

Lightning-fast, open source search engine for everyone | Knowledge Base powered by Struct.AI

Indexed 3005 threads (79% resolved)

Join Our Community