I left Charles (web proxy debugger) running and waited for the re-direct again. I found the site that is originating the request to sponsor.adverstitial.com, it is ad.cpmaxads.com.
A request to that site goes out, then it brings back a lot of shady looking javascript/HTML mix with this in the middle:
{var v=Math.floor((Math.random()*100000));setTimeout(function(){try{window.top.location.href="http://sponsor.adverstitial.com/view/advertisement?loc="+v+"&adv="+p+"&camp="+o+"&w="+t+"&h="+B+"&rnd=4878995824626992114"}catch(d){}},2000)}}
The request to ad.cpmaxads.com from the web page was:
GET /audience/campaign?adid=2832800&cpid=657304&w=728&h=90&rn=1397433511&ct=http://clk.specificclick.net/click/v=5%3Bm=3%3Bl=12679%3Bc=657304%3Bb=2832800%3Bts=20140413195831%3Bui=9BHmMkGDmpd5VsqEQpYbPNeNVqvOhgeY_JYZTk4np7i31BriQpt2BAVz7vpcD5rKAI1kfLriLvqflWaNGuBRQA%3Bdct=
And the referring page was from Slashdot.org.
I'm pretty sure now this is specifically an advertisement that manages to force the whole page to load a new URL, as you can kind of make out from the Javascript - so at least it's not malware. I'm going to try setting a /etc/hosts entry as follows to block the origin of the offending Javascript:
0.0.0.0 sponsor.adverstitial.com
0.0.0.0 ad.cpmaxads.com
As it comes from advertising, this probably occurs for any other sites using that advertiser. If people are not comfortable editing /etc/hosts, you could also try installing an ad-blocker, and just blacklisting ad.cpmaxads.com if you didn't want the whole ad-block experience (I don't like how it slows things down and I do want to support sites I like with advertising revenue - as long as ads do not infuriate me be repaving the whole page...)
For those interested in the whole HTML/javascript block that comes back from ad.cpmaxads.com, it is:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta http-equiv="expires" content="0"><meta http-equiv="Pragma" content="no-cache"><meta http-equiv="cache-control" content="no-cache">
</head>
<body>
<div id="adarea" style="position:absolute; top:0px; left:0px; width:300px; height:250px;">
<!-- default -->
<!-- end default -->
</div>
<img src="http://s.viewalytics.com/t/e?p=52&t=7&ev=1&asrc=0&site=0&rnd=0" width=1 height=1 border=0 style="position:absolute; top:-4px;">
<script type="text/javascript">
function getParameterByName_fromURL(b,f){try{b=b.replace(/[\[]/,"\\[").replace(/[\]]/,"\\]");var a="[\\?&]"+b+"=([^&#]*)";var d=new RegExp(a);var c=d.exec(f);if(c==null){return""}else{return decodeURIComponent(c[1].replace(/\+/g," "))}}catch(g){return""}}var placement_oo="1";var placement_lo="1";(function(){function H(f,w){try{f=f.replace(/[\[]/,"\\[").replace(/[\]]/,"\\]");var d="[\\?&]"+f+"=([^&#]*)";var r=new RegExp(d);var h=r.exec(w);if(h==null){return""}else{return decodeURIComponent(h[1].replace(/\+/g," "))}}catch(J){return""}}function C(e,d){var f=document.getElementById("adarea");if(f){if((e==728)&(d==90)){f.style.width="728px";f.style.height="90px";f.innerHTML='<iframe width=728 height=90 border="0" frameborder="0" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" hspace="0" vspace="0" scrolling="NO" src="http://ad.cpmaxads.com/audience/default/default_728_90.html"></iframe>'}else{if((e==300)&(d==250)){f.style.width="300px";f.style.height="250px";f.innerHTML='<iframe width=300 height=250 border="0" frameborder="0" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" hspace="0" vspace="0" scrolling="NO" src="http://ad.cpmaxads.com/audience/default/default_300_250.html"></iframe>'}else{if((e==120)&(d==600)){f.style.width="120px";f.style.height="600px";f.innerHTML='<a href="http://www.stjude.org/moments?sc_cid=bnn103"><img src="http://ad.cpmaxads.com/audience/default/psa/120x600.gif" width="120" height="600" border="0"></a>'}else{if((e==160)&(d==600)){f.style.width="160px";f.style.height="600px";f.innerHTML='<iframe width=160 height=600 border="0" frameborder="0" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" hspace="0" vspace="0" scrolling="NO" src="http://ad.cpmaxads.com/audience/default/default_160_600.html"></iframe>'}else{f.style.width="300px";f.style.height="250px";f.innerHTML='<a href="http://www.stjude.org/moments?sc_cid=bnn102"><img src="http://ad.cpmaxads.com/audience/default/psa/300x250.gif" width="300" height="250" border="0"></a>'}}}}}}var p;var o;var t;var B;var l;try{p=H("adid",window.location.href)}catch(D){p=0}try{o=H("cpid",window.location.href)}catch(D){o=0}try{t=H("w",window.location.href)}catch(D){t=0}try{B=H("h",window.location.href)}catch(D){B=0}try{l=H("ct",window.location.href)}catch(D){l=""}C(t,B);function i(r,K,h){var J=new Array();J[0]="0";J[1]="0";J[2]="0";try{var d=r.indexOf(" ",K+h);if(d==-1){d=r.length}var f=r.substring(K+h,d);if(f.indexOf(".")>0){J=f.split(".");if(!J[0]){J[0]="0"}if(!J[1]){J[1]="0"}if(!J[2]){J[2]="0"}}}catch(w){}return J}var G=false;var b=0;var k=0;var c;try{c=navigator.userAgent;if(!c){c="unknown"}c=c.toLowerCase();if(c.indexOf("msie")>0){b=1}else{if(c.indexOf("chrome/")>0){b=2;G=true}else{if(c.indexOf("safari/")>0){b=3;G=true}else{if(c.indexOf("firefox/")>0){b=4;G=true}else{if(c.indexOf("trident/")>0){b=7;G=true}}}}}if(c.indexOf("windows")>0){k=1}else{if(c.indexOf("macintosh")>0){k=2}}}catch(D){}var s=0;try{if(b==1){var q=i(c,c.indexOf("msie"),5);s=Number(q[0]);if((s==8)||(s==9)||(s==10)){G=true}}}catch(D){}function j(){var f;try{if(typeof document.hidden!=="undefined"){f="hidden"}else{if(typeof document.mozHidden!=="undefined"){f="mozHidden"}else{if(typeof document.msHidden!=="undefined"){f="msHidden"}else{if(typeof document.webkitHidden!=="undefined"){f="webkitHidden"}}}}}catch(r){}var e=0;if(f){try{if(typeof document.addEventListener!="undefined"&&typeof f!="undefined"){if(document[f]){e=2}else{e=1}}}catch(h){e=0}}return e}var u="true";var a=j();if(!a){a=0}var m=false;try{var n=document.location.href;var g=document.referrer;if((n.indexOf("delta")>0)&&(n.indexOf(u)>0)){m=true}if((n.indexOf("11526")>0)||(n.indexOf("42823")>0)){m=true}if((g.indexOf("delta")>0)&&(g.indexOf(u)>0)){m=true}if((g.indexOf("11526")>0)||(g.indexOf("42823")>0)){m=true}}catch(E){}if((p>0)&&(o>0)&&(G==true)&&(a!=2)&&(k>0)){if(((t==728)&(B==90))||((t==300)&(B==250))||((t==120)&(B==600))||((t==160)&(B==600))){try{if((window.location.protocol=="http:")&&(m==false)){var v=Math.floor((Math.random()*100000));setTimeout(function(){try{window.top.location.href="http://sponsor.adverstitial.com/view/advertisement?loc="+v+"&adv="+p+"&camp="+o+"&w="+t+"&h="+B+"&rnd=4878995824626992114"}catch(d){}},2000)}}catch(E){}}else{}}else{var y=t;var x=B;if((a==2)&&(placement_oo=="1")){var I="http://ad.cpmaxads.com/audience/default/psa/default.swf?width="+y+"&height="+x+"&rn="+Math.round(Math.random()*100000000);var z=navigator.userAgent.toLowerCase();var A="";if((z)&&(z.indexOf("msie")<0)){A='<object style="position:absolute; top:0px; left:0px; display:block; line-height:0px; margin:0; padding:0;" id="defaulted_banner" name="defaulted_banner" type="application/x-shockwave-flash" data="'+I+'" width="1" height="1"><param name="movie" value="'+I+'"/><param name="quality" value="low"/><param name="bgcolor" value="#808080"/><param name="play" value="true"/><param name="loop" value="false"/><param name="wmode" value="window" /><param name="allowScriptAccess" value="always" /><param name="hasPriority" value="true"/></object>'}else{if(z){A='<object style="position:absolute; top:0px; left:0px; display:block; line-height:0px; margin:0; padding:0;" id="defaulted_banner" name="defaulted_banner" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="1" height="1"><param name="movie" value="'+I+'"/><param name="quality" value="low"/><param name="bgcolor" value="#808080"/><param name="play" value="true"/><param name="loop" value="false"/><param name="wmode" value="window" /><param name="allowScriptAccess" value="always" /><param name="hasPriority" value="true"/></object>'}}if(A){var F=document.createElement("div");F.style.position="absolute";F.style.top="4px";F.style.left="4px";F.style.margin="0";F.style.padding="0";F.style.zIndex=2147483647;F.innerHTML=A;try{document.body.appendChild(F)}catch(E){}}}}})();
</script>
</body>
</html>
Best Answer
It's primarily a matter of parsing the output of
defaults read ~/Library/Safari/Extensions/extensions
and formatting it in a user-friendly way. The result actually answers both of your questions:Creating a shell script out of it is left as an exercise to the reader.
Please note that this will most probably stop to work if Apple decides to change the format of
~/Library/Safari/Extensions/extensions