Archived

This topic is now archived and is closed to further replies.

bearonthejob

[New] uTorrent Bookmarklet

Recommended Posts

After using some of the bookmarklets/browser extensions available, none of them seemed to fit my needs entirely. I was looking for something that would work on iOS environments, as well as my normal browsers (Chrome, FF), something that would let me queue downloads from a listing page instead of just individual download pages, and something that would give me a little feedback to let me know the queue was added properly.

There are some very nice extensions that can do this and more already, but obviously no extensions would work on an iOS environment. And all of the bookmarklets that I had tried were missing some feature that I really wanted...so I rolled my own.

uTorrent Bookmarklet v1.0: Download

___________________________________

Installation:

  • Download the attached .gz file.
  • Navigate to your uTorrent data folder, where webui.zip is located.
  • Add bookmarklet.html.gz to the root directory of your webui.zip archive.
  • Profit.

InstallationExample.png

The installation is pretty simple, just drop the attached file into your webui.zip file and you're done. All of the functionality/images are packed into that single file, and the bookmarklet is served from your own webui host. Instead of hosting it on some 3rd party server, or trying to pack too much into the bookmarklet code itself, I figured this was the easiest way to deliver it. Since you are going to need access to the your uTorrent webui host anyways...might as well serve the code from there.

___________________________________

Usage:

  • Open the web browser of your choice and navigate to:
    http://<uTorrent_webui_address>:<uTorrent_webui_port>/gui/bookmarklet.html
  • Enter the username/password you have configured for your webui.
    (If you don't enter a username or password, you will be prompted for them when you use the bookmarklet)
  • Choose colors for the text and background of the "highlighter" (see image below).
  • Drag the bookmarklet link to your bookmark bar.
  • Browse to any page with a .torrent file or magnet link, and use the bookmarklet
  • The first torrent link found on the page will be highlighted by the bookmarklet. If you click this link while
    highlighted, it will be added to your queue.
  • If you click on non-highlighted torrent links on the page, the highlighter will move to them, and you can click that link again to add that item to your queue.
  • When you are done, either click the bookmarklet button on your bookmark bar again to close it, or click the "X" on the highlighter.

HighlighterExample.png

In addition to supporting .torrent files and magnet links natively, it also supports transformed URLs for mininova.org, torrentreactor.net, and isohunt.com. This bookmarklet also supports token authentication, so should work by default with v2.0+ uTorrent installations.

___________________________________

Since this is all done in Javascript and HTML, all the code is directly available for anyone to edit. If you open the bookmarklet.html file archived in the .gz file, you will see a section at the top of the file where you can add custom transforms for specific torrent sites. These transforms are used to identify torrent links on the page (in case the links come from dynamic .php pages instead of .torrent files directly), and possibly transform the links to format them properly to add to uTorrent's queue.

So far I've tested this on Chrome 8, FF 3.6, Safari 5 on OSX, IE 8 on Windows, and Safari on iOS 4.1 (iPhone) and 3.2 (iPad). I haven't had the chance to test it in Opera or Android's browser. If anyone finds issues or would like to see improvements, please leave a reply and I'll see what I can do.

Share this post


Link to post
Share on other sites

That is... intriguing! After seeing kentyman's bookmarklet, I told him that it probably wouldn't be feasible to support token authentication via bookmarklets. Proved me wrong! I never thought to include the script in webui.zip to house the bulk logic.

Tested on mininova, and it works as advertised, and very slickly at that.

Awesome stuff here, even at the code level. The dual and self-contained nature of the code is brilliant! Seriously excellent stuff, bearonthejob :D

Share this post


Link to post
Share on other sites

Oh. Hrm, I was more excited by the technical achievements and the slickness of the thing earlier, and didn't actually stop to consider the security implications...

Indeed, it does seem that by allowing scripts to bypass the token authentication, this does reopen that can of worms... Even if the code doesn't currently contain other requests, JavaScript is such that modifying objects is dead easy, so attackers could (if they detect the window.UTB object) just inject their own code and do whatever they want... :/

Share this post


Link to post
Share on other sites

Ahh...you are right. I was too busy being the cat, I didn't think much about the mouse.

The key to me getting around the XSS restrictions is that bookmarklet.html is being served by the webui itself, and therefore originates from the same domain. The javascript that gets injected by the bookmarklet uses a trick with iframes to load bookmarklet.html into a new iframe, with params attached to the url. The bookmarklet.html in the iframe then runs some script to get the auth token, and returns it to the injected javascript (this return process is the real trick to it all).

The weak point in the armor here is the bookmarklet.html that is loaded into the iframe. Since it is served from the webui, it has free reign on any webui interfaces. Right now, the exchange between the injected javascript and the iframe is generic enough that yes, if someone hooked into the window.UTB object they could make arbitrary requests to the host.

I will investigate to see if there is any way to lock down that exchange point. I might be able to add my own layer of authentication to make sure the source of the request is the bookmarklet, and not some random code from malicious-site-X.com.

But again, the only way you can open this vulnerability is by adding bookmarklet.html.gz to your webui interface. Without someone manually adding that source file, the token authentication is still solid.

Share this post


Link to post
Share on other sites