Skip to content.

Scott Arciszewski

Software, Privacy, Security, Innovation

Ad Bypass for Free Webhosting

Posted on: September 10, 2013
Thanks to: All of the companies that provided free webhosting during my childhood
Full View (text/plain; charset=UTF-8)

Advertising bypass for free webhosting using DOM manipulation + AJAX:

If you grew up in the era of crappy HTML websites hosted on Tripod, Angelfire, Geocities, et al. then you probably had to put up with advertisements injected by your web host on your web pages. If you poked around, you would have noticed that they only seemed to inject their advertisement code on HTML webpages with a <body> tag.

Upon reminiscing over my early experiences with free webhosting, I decided to try to see if I could remove the advertisements from a website hosted on a free webhosting service. My PoC can be seen live at

I do not remember when I reported it to 20m, but I did post about it in July on Twitter.

If I had to "grade" this "vulnerability", I would say its impact is extremely low and mostly for novelty value. Nothing worth losing sleep over or posting on Full Disclosure. Just something fun to enjoy.

As with everything I post in this section, it's meant for educational purposes only.

Update: Found the email they sent after I reported it the first time. Reported on July 15 with Ref #[1M3uy090Gs3pM3h]

  1. # The Proof-of-Concept hosted on consists of the following files:
  2. # index.html
  3. <!DOCTYPE html>
  4. <html>
  5. <head>
  6. <title>Test</title>
  7. <style>
  8. body {
  9. display: none;
  10. }
  11. body + body {
  12. }
  13. </style>
  14. <script src="//"></script>
  15. <script type="application/javascript">
  16. $(document).ready(function() {
  17. $("body").html("");
  18. $.get("/source/index.txt", function(html) {
  19. $("body").html(html);
  20. });
  21. });
  22. </script>
  23. </head>
  24. <body></body>
  25. </html>
  26. # source/index.txt
  27. <h1>Advertisements Bypassed</h1>
  28. <p>
  29. Tested and confirmed by Scott
  30. </p>
  31. # Timeline:
  32. # 2013-07-15 - Tried and succeeded
  33. # 2013-07-15 - Reported to 20m
  34. # 2013-07-23 - Announced on Twitter
  35. # 2013-09-10 - Published this document
  36. # See more information at

Want to hire Scott Arciszewski as a technology consultant? Need help securing your applications? Need help with secure data encryption in PHP?

Contact Paragon Initiative Enterprises and request Scott be assigned to your project.