Javascript hiding in CSS files

We see a lot of fun hiding spots for javascript at the StopBadware office as we process webmaster appeals.  Last week we realized something that the Matasano team stated in their recent blog entry for their new testing tool: debugging tools aren’t always tuned with security people in mind. 

As I was processing a website it was pretty obvious from the flow of the requests that badware was being loaded from somewhere and it was coming from loading-atm net.  All I had to do was track down where the call was coming from.  But searching through the first two GET responses didn’t show anything makeing a covert or overt call to the website.

One of the nice features of Burp Proxy (a javascript web application debugging tool) is that it will filter out certain responses like binaries.  However it also defaults to stripping CSS responses from view which is unfortunately where this particular badware was hiding.  It isn’t difficult to enable them again (simply check CSS in the filter view).