Suspicious web-application requests containing encoded JavaScript function(?)

Question

I've been seeing some odd traffic in the logs for a web-application (Apache) that I'm wondering about, and I'm hoping that someone here has seen this before.

The raw requests were variations of:

http://[site]/Ajax/Basket/Add/e7199c8c-91a0-11e3-9f97-001c42f03a04/function%20()%20%7B%20%20%20%20var%20what,%20a%20=%20arguments,%20L%20=%20a.length,%20ax;%20%20%20%20while%20(L%20&&%20this.length)%20%7B%20%20%20%20%20%20%20%20what%20=%20a%5B--L%5D;%20%20%20%20%20%20%20%20while%20((ax%20=%20this.indexOf(what))%20!==%20-1)%20%7B%20%20%20%20%20%20%20%20%20%20%20%20this.splice(ax,%201);%20%20%20%20%20%20%20%20%7D%20%20%20%20%7D%20%20%20%20return%20this;%7D

which decodes to what looks like a JavaScript function to glom onto all of the data returned:

function() {
    var what, a = arguments,
        L = a.length,
        ax;
    while (L && this.length) {
        what = a[--L];
        while ((ax = this.indexOf(what)) !== -1) {
            this.splice(ax, 1);
        }
    }
    return this;
}

I've tracked down the IP-addresses for several of them, and they are originating from a few different sources:

107.223.168.139 (AT&T Internet Services);
Various 10...* (internal corporate network);
One external IP for the corporate network;
A client network;
199.91.135.140 (Bluecoat Systems, Inc.); and
98.30.221.237 (Road Runner)

This feels like it could be the start of an exploit-attempt, though I'm not sure what useful information would be gleaned, since the response is nothing more than a JSON-structure error-details packet:

{
   "Details":"Traceback (most recent call last):\n  File \"/var/www/[application]-client/index.py\", line ####, in _AjaxResponder\n    '%s could be found' % ( resourceId ) )\nRuntimeError: No resource with an id of function () {    var what, a = arguments, L = a.length, ax;    while (L && this.length) {        what = a[--L];        while ((ax = this.indexOf(what)) !== -1) {            this.splice(ax, 1);        }    }    return this;} could be found\n",
   "Error":"RuntimeError:No resource with an id of function () {    var what, a = arguments, L = a.length, ax;    while (L && this.length) {        what = a[--L];        while ((ax = this.indexOf(what)) !== -1) {            this.splice(ax, 1);        }    }    return this;} could be found"
}

I don't see any significant risks at this point, but found myself wondering if anyone else has encountered this, or sees anything to be concerned with?

found the code snippet online: http://stackoverflow.com/questions/3954438/remove-item-from-array-by-value — schroeder, Jun 04 '15 at 19:41
Weird requests are never the problem - the problem is always about how the server responds. — schroeder, Jun 04 '15 at 19:45
Did you check the referrer? It could be a runaway string in some page source is causing it — wireghoul, Jun 05 '15 at 11:43
@wireghoul: Yeah, checked the referer, it's not originating from anywhere in the page, JS, etc. that I can find... — Brian Allbee, Jun 05 '15 at 20:46
@schroeder: Not sure what the code-snippet is in reference to...? The server responds well enough, though -- The results are an error-message structure, as noted, it doesn't take any significant additional time, etc., it just clutters up the error-alerts email account. I don't _think_ it'd leak info, but I can't _prove_ that it wouldn't... :-/ — Brian Allbee, Jun 05 '15 at 20:50
@BrianAllbee the javascript function you have in your logs, is a direct copy from the SO link I provided. It's pretty innocuous. — schroeder, Jun 05 '15 at 21:16

Suspicious web-application requests containing encoded JavaScript function(?)

0 Answers0