[lug] unescaping url encoded document

Zan Lynx zlynx at acm.org
Fri Nov 6 13:51:33 MST 2009

On 11/6/09 1:21 PM, Kenneth D Weinert wrote:
> Hash: SHA1
> This is sort of amusing. I got a scam email telling me that the IRS was
> going to give me a refund of $773.00 and all I had to do was fill in the
> form and send it off.
> I clicked on it just to see where they were really sending it and did a
> "View Source" in my browser.  Here are the first 4 lines (4th line
> truncated):
> <Script Language='Javascript'>
> <!-- HTML Encryption provided by IRS -->
> <!--
> document.write(unescape('%3C%21%44%4F%43%54%59%50%45%20%48%54%4D%4C%20%50
> It displays fine, but I'm just curious what the submit button does and
> wondered if anyone had an easy shortcut to translate the URL Encoding
> into plain text outside of a browser.
> An interesting variation, at least one I hadn't seen before.

Sometimes it is a simple expansion. Other times it expands into more 
Javascript, and the only easy way to find the output is to actually run it.

There is a Perl module that wraps SpiderMonkey, the Mozilla/Firefox 
Javascript interpreter. SpiderMonkey can be used to decode these with 
some extra effort.

Zan Lynx
zlynx at acm.org

"Knowledge is Power.  Power Corrupts.  Study Hard.  Be Evil."

More information about the LUG mailing list