How to check style for malicious code?

[rav3n83]

Greetings-

I am having a developer work on a custom style for my site. This developer is off site and I do not necessarily trust anyone by nature.

I would live to review the code after the style is finished. What can possible happen if he leaves malicious code of some sort?

One last question, where should I be looking for the potential offending code? And yes this developer has reviews, and I have spoken to him on the phone, but like I said I am the type of person who likes to have the satisfaction of knowing I reviewed and OK'd something. I just have no knowledge of how XF styles function.
Thanks for your time reading this.

 

[Mike]

As a style contains arbitrary HTML/JS, it could effectively trigger an XSS. You would need to carefully review all of the HTML in the style (within the XML file and any custom JS) to determine whether it's doing anything malicious.

 

[Robust]

It's going to be hard to find malicious code if you don't understand how XF styles work.

If you have a real reason to believe they are not legitimate, don't work with them. If you're just being paranoid, feel free to pay another developer to look over his work to ensure there is no problem. For the most part, if you're working with a trustworthy developer, they will not be backdooring your code. It's not exactly considered ideal customer service and a good way to grow your business as a developer.

 

[rav3n83]

Thank you for the replies. And I understand that point of view Robust, and I anticipated that response. But developers all start somewhere. And even if I had used a free style, I wouldn't mind some understanding of how they function.

This information helps me get acquainted with Xenforo also. I am not new to web development. In fact I have used a few different forum software packages, and a few popular CMS platforms. But in the capacity of the Admin and making modifications with code I did not write.

I have a locahost test server that I am testing the style on, using Xampp. Is there anything I can do within my test environment on my localhost server, so check for any code "calling home" or trying to inject code into the style/site? I am not going to be using this on my live site until I have more information and have tested this style completely on my localhost server.

 

[Robust]

I have a locahost test server that I am testing the style on, using Xampp. Is there anything I can do within my test environment on my localhost server, so check for any code "calling home" or trying to inject code into the style/site? I am not going to be using this on my live site until I have more information and have tested this style completely on my localhost server.

It's more tricky with a style than an add-on. A style it could be in any one of the modified templates. For complicated styles, there's a lot of code to cover. You'll know a callback when you see one, malicious js can be harder to spot depending on why you class it as "malicious". If you really wanted to check a style full and through, you'd really be looking through every one of the modified and new templates and seeing what they contain. It's probably easier to do it using WebDAV than the admin template system, but it's a time consuming task either way. If you don't understand the code then it's totally possible y won't notice anything malicious anyway.

And I can't comment on how you learn, but reverse engineering is a great way to learn (for me at least), just looking for a vulnerability and making that your focus probably isn't. Breaking down the code to see how something is done, great. If you're just scanning code to find a problem you probably won't be focusing on learning anything from it. And if you're dealing with a newer developer, they're probably not the best example to learn from. It's likely you'll pick up bad habits.

Good luck doing what you're doing. I'm sure your forum users will appreciate it. It takes a hell of a lot of time, at least the only way I know to do it. You can also search for key words and see if they're present in the templates, but that's much of a hit and miss tbh and not a good way to do anything, but if you make a hit (usually unlikely even in malicious code) it's obvious there will be more.

 

[rav3n83]

Yes Robust I probably learn the same way. I tend to check things over, perhaps make small changes and see what the effect is, of course with always having a backup. I have been looking over all the files for a few hours including the .js files. I was searching for any reference to a http address, although I am guessing user input could easily be re directed without the use of a web address.

As far as the efficiency of the design, I would not understand until I have reviewed more code from known functional and efficient styles. I have reviewed a few of the more popular free styles available in the resource section, and I have yet to find any call outs to HTTP sites.

 

[Russ]

Depending on your style setup.... you can use the "Customized Components" link in the Appearance tab to view any templates that have been changed. Of course if you're using a framework of any sorts it may be difficult as a lot of frameworks customize a lot of templates. When viewing a customized template you can click "View Custom Changes" at the bottom to see exactly what was changed/added/removed.

 

[Robust]

As far as the efficiency of the design, I would not understand until I have reviewed more code from known functional and efficient styles. I have reviewed a few of the more popular free styles available in the resource section, and I have yet to find any call outs to HTTP sites.

Generally styles don't do it. They give you an option and expect the client to be honest and only remove branding if they have a branding removal license.

It might be good for me to point out now that if you class malicious as callbacks, you could be violating terms by removing them. If a developer wants a callback in to check license data/branding and discloses it (if it is not disclosed, it's violating XF rules, if sold here, and general developer 'ethics' if you ask me), it's allowed by XF and legally you should not be removing it without explicit permission from the developer. Not like anyone is going to chase you down for it, but that'd be the right way to go about it. Generally developers won't mind allowing you to remove any callbacks and adding the branding manually if you don't have branding purchased, for example, but every developer is different.

 

[rav3n83]

Thanks for the tip Russ. You guys have been very helpful here.