Re: OT, but stil.
On Sep 4, 2014 5:04 PM, "Dave Watts" wrote: > This is exactly how user scripts work. They are installed by the user > in some fashion, and can control browser functionality. This is how > online password managers work, how Greasemonkey works, etc, etc, etc. > If a user installs malware, of course that malware can do this sort of > thing. There's nothing magically sacrosanct in HTTP or HTML to prevent > this sort of thing. A Content Security Policy that blocks inline scripts will block some local malware too. It may for instance block bookmarklets, but not Greasemonkey. Jochem ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359240 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
>>If you do find a way to detect all scripts running on a page I would be very interested in seeing how it works. At least you could then inform the user that there are unwanted processes running in the browser. I'm working on that, may be not for all visitors, but at least for administrators on my customers sites, because the consequences of an attack is greater. So far I'm considering two approaches: 1. find all
Re: OT, but stil...
> I can understand that a plugin can run a script when a page is loaded, but it > is absolutely stupid this script can be part > of the page and have all privileges granted to the user after a legitimate > authentication. The script could run by itself, but > have no access to the DOM and not be able to read or define cookies from the > original domain. Well, that's the way user scripts work, and how they've always worked. I'm not sure what to tell you beyond that. That's the whole point of user scripts - to have access to the DOM, etc. Greasemonkey has been around since 2005. And this approach follows the basic model of the web itself - in the beginning, the intent was for users to control the appearance of logical formatting tags (h1, etc) with local style configurations. The problem you're having is the basic problem that the user's own machine has to be accepted as trustworthy. If that isn't the case, all bets are off. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359238 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: OT, but stil...
>> is absolutely stupid this script can be part of the page and have all privileges >> granted to the user after a legitimate authentication. Not when you consider that the script was added to YOUR page even before the browser renders it. Think of it like a proxy in that the proxy added the (unwanted) scripts before it passed it to the actual browser rendering and scripting engine. To the browser it looks like your site sent it. This is one of the ways the Russian hackers accumulated over a billion credentials. Believe me, I share your concern which is why I never login to any of my accounts from an unknown browser or PC. The alternative is to go off like Gene Hackman's character in the Conversation. If you do find a way to detect all scripts running on a page I would be very interested in seeing how it works. At least you could then inform the user that there are unwanted processes running in the browser. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359237 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: OT, but stil...
Yeah... I'd do it myself if I could get good wireless :D -Original Message- From: Claude Schnéegans [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans >close up shop and move to a cabin in Montana That's the best suggestion I got on that matter ;-) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359234 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
>>There's nothing magically sacrosanct in HTTP or HTML to prevent this sort of thing. You're right, but as a developper, I have to modify my code every day, because every day comes up a new version in which something has been cancelled or disabled, like accessing the clipboard by Javascript, or such function because "it was too dangerous", and here I discover that any one can have a script run in my page just like if I wrote it myself :-( I can understand that a plugin can run a script when a page is loaded, but it is absolutely stupid this script can be part of the page and have all privileges granted to the user after a legitimate authentication. The script could run by itself, but have no access to the DOM and not be able to read or define cookies from the original domain. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359233 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
>>close up shop and move to a cabin in Montana That's the best suggestion I got on that matter ;-) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359232 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
> >>so it becomes a part of the client side page request > "against your will" as it were. > > Yes, but this rises a question: > If my window.onerror can get events from some plugin code, this means that > this code is embeded and is treated as if it belonged to my window. > Thus, it has access to everything in my window, including the document, > forms, input fields in the forms, even those containing passwords, etc. > > What kind of breach is that? This is exactly how user scripts work. They are installed by the user in some fashion, and can control browser functionality. This is how online password managers work, how Greasemonkey works, etc, etc, etc. If a user installs malware, of course that malware can do this sort of thing. There's nothing magically sacrosanct in HTTP or HTML to prevent this sort of thing. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: OT, but stil...
Claude, There is literally nothing (not a single thing) that is "off limits" on the client side. You cannot trust or believe the browser is in any way shape or form a secure environment and you must assume that things like cookies can and will be hacked and experimented with. This is why it is important that variables be tied to temporary entities on the client side (like expiring session cookies) as you mention below. Beyond that your conclusions are correct and scary - but the alternative is probably to close up shop and move to a cabin in Montana :) -Mark -Original Message- From: Claude Schnéegans [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans >They don't call it Malware for nothing Ok, but if a malware does "mal" to a moron client side, in a pinch, this is not our problem, but if it can get pass words so easily, it can also do mal to any server any time. I just got one tonite that allows itself to define cookies under MY domain! If it can store cookies, it can also read cookies, including session cookies! With the session Id, it does not even need the password. I'd like to detect all pieces of javascript code defined in a document and check if they are mine. I was thinking of document.getElementsByTagName, but I'm not even sure all parasit code will actually have a
Re: OT, but stil...
>>They don't call it Malware for nothing Ok, but if a malware does "mal" to a moron client side, in a pinch, this is not our problem, but if it can get pass words so easily, it can also do mal to any server any time. I just got one tonite that allows itself to define cookies under MY domain! If it can store cookies, it can also read cookies, including session cookies! With the session Id, it does not even need the password. I'd like to detect all pieces of javascript code defined in a document and check if they are mine. I was thinking of document.getElementsByTagName, but I'm not even sure all parasit code will actually have a
Re: OT, but stil...
They don't call it Malware for nothing :-) On Wed, Sep 3, 2014 at 8:11 PM, <> wrote: > > >>so it becomes a part of the client side page request > "against your will" as it were. > > Yes, but this rises a question: > If my window.onerror can get events from some plugin code, this means that > this code is embeded and is treated as if it belonged to my window. > Thus, it has access to everything in my window, including the document, > forms, input fields in the forms, even those containing passwords, etc. > > What kind of breach is that? > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359228 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
>>so it becomes a part of the client side page request "against your will" as it were. Yes, but this rises a question: If my window.onerror can get events from some plugin code, this means that this code is embeded and is treated as if it belonged to my window. Thus, it has access to everything in my window, including the document, forms, input fields in the forms, even those containing passwords, etc. What kind of breach is that? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359227 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
>>"against your will" as it were. Indeed, so I'm considering adding some tests in my "bad bot" detector based on some strings seen in javascript errors. May be also there is a way to get the list of all scripts in a page, I'll dig into that. >>I think your idea is excellent though - a way to trap client side errors and tease them out and correct them. Nicely done. Thanks, I've already correct a couples of bugs. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359226 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: OT, but stil...
Claude, I think that perfectnavigator is a adware (some would say malware) that runs on browser execution - so it becomes a part of the client side page request "against your will" as it were. I think your idea is excellent though - a way to trap client side errors and tease them out and correct them. Nicely done. -Mark -Original Message- From: Claude Schnéegans [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans https://in2.perfectnavigator.com/injectScripts/index.php?id=Pj8sNyM Message : Script error. User agent : Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 How come this code at in2.perfectnavigator.com (which is not on my server) can be executed from one of my pages, or at least the error event reported to one of my pages ? How about this one from Madagascar? Template : http://www.youradexchange.com/script/java.php?option=rotateur Message : Script error. User agent : Mozilla/5.0 (Windows NT 6.0; rv:31.0) Gecko/20100101 Firefox/31.0 IP = 197.149.47.173 pays = Madagascar Template : http://www.myDomain.com/ line : 418 Message : 'JSON' is undefined User agent : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; chromeframe/32.0.1700.107; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.3) This one is in my code, but there is no Javascript at line 418 and JSON is never used anywhere. Ah! This one is in my code, very handy to know where to look at when there is a problem on a Mac and you don't have a Mac. Template : http://www.myDomain.org/commun/customTags/textEditor/popupresize.js ligne : 72 Message : TypeError: 'undefined' is not a function (evaluating 'Number(frameObject.width)') User agent : Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359225 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
> How come this code at in2.perfectnavigator.com (which is not on my server) > can be executed from one > of my pages, or at least the error event reported to one of my pages ? Users can choose to run their own scripts, or install plugins that run scripts for them. This is pretty common. The in2.perfectnavigator.com is an ad-server script of some sort. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359224 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
OT, but stil...
This is not really CF related, but since this list is mainly read by Web developers, I thought it could be interesting anyway. First, let me say that my system logs CF executions error in a database with many details that help a lot to clean my code. However it does not trap Javascript errors on client side, and with so many types of browsers, in many versions and each one with parameters that the user can de-activate without even knowing what the parameter is intended to, the developper can never be sure his code will run correctly in any circumstance. Now, thanks to window.onerror, I just developped a Javascript error tracker able to ajax some information to my server, including the url where the error occured, the line number, stack, etc. and there it is: I even get errors in code which is not mine! It seems that some code which is not in my server runs somewhere in the client browser and cause errors I can trap! Some examples Stack : TypeError: Argument or incorrect procedure at _watcherReady (Unknown script code:5:13) User agent : Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko ... there is no string like "watcherReady" anywhere in my code. Template : https://in2.perfectnavigator.com/injectScripts/index.php?id=Pj8sNyM Message : Script error. User agent : Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 How come this code at in2.perfectnavigator.com (which is not on my server) can be executed from one of my pages, or at least the error event reported to one of my pages ? How about this one from Madagascar? Template : http://www.youradexchange.com/script/java.php?option=rotateur Message : Script error. User agent : Mozilla/5.0 (Windows NT 6.0; rv:31.0) Gecko/20100101 Firefox/31.0 IP = 197.149.47.173 pays = Madagascar Template : http://www.myDomain.com/ line : 418 Message : 'JSON' is undefined User agent : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; chromeframe/32.0.1700.107; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.3) This one is in my code, but there is no Javascript at line 418 and JSON is never used anywhere. Ah! This one is in my code, very handy to know where to look at when there is a problem on a Mac and you don't have a Mac. Template : http://www.myDomain.org/commun/customTags/textEditor/popupresize.js ligne : 72 Message : TypeError: 'undefined' is not a function (evaluating 'Number(frameObject.width)') User agent : Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359223 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm