javascript eval v.s. browser console tampering, in terms of security differences - javascript

Is there anything different in what you can do with eval v.s. what you can do in the browser developer console? is it not safer to use eval, as at least, your code evaluates the user input in a certain context, and, it can also log (and scan) the input prior to execution....

Browser console and eval() are two different things...
in my opinion can't be compared just like that.
Browser console its built into browser (and as it, it's browser specific javascript interpreter)
Lets you execute code besides many other things.
firefox The Web Console: Logs information associated with a web page: any network requests,
JavaScript, CSS, security errors and warnings as well as error,
warning and informational messages explicitly logged by JavaScript
code running in the page context Enables you to interact with a web
page by executing JavaScript expressions in the context of the page.
*The Browser Console is like the Web Console, but applied to the whole
browser rather than a single content tab.
google-chrome The Chrome DevTools Console panel is your focal point for direct
interaction with a page in real time. The Console lets you use
standard JavaScript statements and Console-specific commands while a
page is live in the browser to help you debug the page. View
diagnostic messages, display both raw and structured data, control and
filter output, examine and modify page elements, measure execution
time, and more.
eval() its a javascript method
The eval() method evaluates JavaScript code represented as a string.
So yes, there's a BIG difference between them and what you can do...
...but most important is how you do it.
Now, you ask about security implications with both "options", but I think this is too ambiguous in the way you pose the question, could be user specific answer depending on how we interpret about what you're trying to clarify..
I believe you will need to clarify/elaborate a little more your question and give us some real examples of what you're after.
or maybe not, and this mini explanation is enough to clarify your doubt

I guess using eval within your code runs in the context where eval is being called in your code, whereas the developer console can only access globals, and hence can only access your code-as-written but not necessarily live data created by its execution, but am not sure about that nor about loopholes.

Related

Can a browser's dev console continue executing JavaSript after a new page loads?

I'm trying to automate some online work through JavaScript and the Firefox (or Chrome) dev console. The work is mostly inputting the same (or similar) data on the same exact pages for many many people.
Example:
unique id
date 1 and 2
some more numbers
I wrote a very simple script that runs in the console and enters the data just fine.
The Problem
My script stops execution whenever it requires the page to reload or it loads another page. I cannot find any information on how to continue executing a script after a page has loaded.
My Limitations
I'm basically limited to what's on FireFox, Chrome, or Edge. Unfortunately, I cannot download any programs or tools that would make the automation any easier right now. Otherwise, I would just use Selenium and Python.
What I've Tried
First I tried to use the script that I describe above (simple DOM manipulation)
Then I tried to use the Selenium browser add-on, but I had to enter a starting URL for it to run. Selenium was not able to get past the login page of our system which is the only static URL that I can use as a starting point.
I then tried to use the Firefox Browser Console (different from the dev console) because the documentation seemed to suggest that I can use JavaScript on the entire browser (not just one tab). Unfortunately, I cannot find any helpful information on how to use the browser console for DOM manipulation. Everything that I search for points to how you create a browser extension, add-on, or how to use JavaScript on your own website.
What I Want To Do
I want to create a script that runs in a dev console. The script should take all of the data either from a separate page or an array then enter the data on each page for each person. I'll also have it prompt the user to verify the data before submission.
What I'm Looking For
What I'm hoping to get from this question is at least one three things.
An answer to the question's title.
Being directed to documentation or some other solution that can solve any of the above problems.
Being told if this is impossible and why by those who have more experience than me (I don't understand if the problem is just a lack of knowledge or limitations on the tools themselves.)
I think you can create a chrome extension and put your code in the background service worker. or use workers read this link

Debugging error message: "A script on this page is causing Internet Explorer to run slowly"

One of my users is intermittently getting a dialog in IE 8 that says:
A script on this page is causing Internet Explorer to run slowly
This problem has been reported numerous times in the MSDN forums and other places on the web. For example:
http://social.msdn.microsoft.com/Forums/ie/en-US/0fdb7550-0a59-4553-a90e-1958475f2ce5/how-to-debug-a-script-on-this-page-is-causing-internet-explorer-to-run-slowly?forum=iewebdevelopment
http://social.msdn.microsoft.com/Forums/ie/en-US/dafffdd8-a390-4a3c-a904-867acaec298e/error-message-a-script-on-this-page-is-causing-internet-explorer-to-run-slowly-for-ie8?forum=whatforum
http://social.msdn.microsoft.com/Forums/ie/en-US/e9d16d2a-60e1-4d6f-8f80-0d981eab3a2e/a-script-on-this-page-is-causing-your-web-browser-to-run-slowly?forum=bingmapsajax
So, this question is a duplicate of those and many others. But it is an intentional duplicate, because I don't think any of those questions were answered in a way that helps a user (developer) to determine precisely what in his scenario causes the dialog to appear.
I know that based on this page:
http://support.microsoft.com/kb/175500
the dialog appears when a certain number of statements have executed since a new script begins execution (through a variety of means). By default the number of statements is 5,000,000 but this is configurable via a registry entry.
The general prescription to this problem is a combination of:
Write less code. Unfortunately, this is not always possible.
Use web workers. This is not an option for IE before IE 10, nor with
some mobile browsers.
Use setTimeOut, setInterval, event handlers, etc to break the
script(s) up. This is a legitimate strategy across all browsers.
So, I understand what the problem is in general terms, and I understand what the options are to solve the problem, again in general terms. The question is, how to determine what area(s) of the code are causing the dialog to appear for a specific user? Often this problem occurs with a very large code base (including third party libraries), so a manual review of the code base without some tooling support is not feasible.
Most browsers, including IE8 and later, have profiling tools that enable the developer to determine JavaScript CPU usage. With the exception of IE, other browsers decide a script is long running not based on the numbers of statements executed but rather the amount of time the script spent executing. To this end, the profilers available in (or as add ons) to the browsers can identify the percentage and usually raw time spent executing a function, both inclusively and exclusively for a function, and the results can be sorted accordingly. IE's profiler will also give you a count of how often a function is called. None of these profilers tell you how many statements of code within a function were executed during profiling; they tell you only how long was spent in the function and how many times the function was called. This doesn't help with IE's slow script dialog logic, which is based on the number of statements (not time) that were executed. There is sometimes a correlation between the time spent executing a function and the number of statements, but it is not a reliable relationship as of course different types of statements can take very different lengths of times to execute (e.g. many native JavaScript functions are faster than calls which update the DOM; both have the same statement count but the former executes faster than the latter, making examining %/raw time not very useful).
One approach I've used that is of some value is when the slow script dialog appears, start the debugger in IE (if not already started) and select the break on next statement command in the debugger. Then click the dialog button in the browser that allows the slow script to continue executing. At this point, the debugger is invoked and the developer can examine the call stack to determine what is executing at the time the slow script dialog appears. This is okay, but a very manual approach and there's no guarantee there aren't multiple scripts running that can at different times invoke the dialog.
An interesting idea I've seen suggested is to use a JavaScript code coverage tool to instrument the code base. There are multiple JavaScript code coverage options out there, but the ease of use of a browser extension that could dynamically instrument the code seems like an ideal solution. (Another interesting idea is to use a proxy server, for example http://siliconforks.com/jscoverage/manual.html; 'jscoverage --server --proxy', but I couldn't get this to work on virtually any website, except the the silicon forks website itself). There's a proof of concept one available for Chrome (http://googletesting.blogspot.ca/2011/10/scriptcover-makes-javascript-coverage.html) that I think could be a great start for helping resolve the the slow script problem -- if such an extension could be made for IE.
So, to reiterate my main question is what tools/processes can one use to debug/analyze a slow script dialog appearing on a user's machine? A subquestion would be, does anyone know of any JavaScript code analysis tools that could be repurposed to help in diagnosing the slow script dialog in IE, and that takes minimal deployment effort? Can an IE extension be written, in theory, that does the sort of code coverage as the Google' script cover extension does?
Thank you,
Notre
In the old times JavaScript was not used that much. Pages used to me more static. These days the PC's were less powered and it was more popular to run complex tasks on the server. JavaScript was only used for some animations.
Microsoft (my way or no way) took their time to acknowledge heavily JavaScript-ed content. (They were also fiddling with their JScript in IE8). Until IE9 they were considering that running > 5 000 000 instruction in a script is a potential mistake.
I'm not aware of any tool that retrieves the instructions count. It's a browser build in feature.
But most of the browsers retrieve the execution time of a function. I know that in every different computer, same number of instructions can take different times, but you can set a benchmark.
Run a script with 5 000 000 instructions on the machine and see how long it takes to run. Then use that time to benchmark your other JavaScript. It's not 100 % accurate but it can became close once you fiddle with it.
Since old IE developer tools are quite poor you can use some third party one. A ussage example here:
deep-tracing-of-internet-explorer
Anyway, the “A script on this page is causing your computer to run slow ...” is only a problem in IE4 - IE8. Since those browsers are obsolete, so should this question be.

Is there any difference in JavaScript injection and bookmarklet?

As per the Wikipedia article on Bookmarklets (http://en.wikipedia.org/wiki/Bookmarklet), the concept of Bookmarklets is:
Web browsers use URIs for the href attribute of the tag and for
bookmarks. The URI scheme, such as http:, file:, or ftp:, specifies
the protocol and the format for the rest of the string. Browsers also
implement a prefix javascript: that to a parser is just like any other
URI. Internally, the browser sees that the specified protocol is
javascript, treats the rest of the string as a JavaScript application
which is then executed, and uses the resulting string as the new
page.
It says that the resulting string is used as the new page. So does that mean the original DOM that browser has is not affected by that string? But then how can I change or inject new DOM elements in the existing DOM if only the resulting string is used as a new page? Because script to alert Hello or to inject some new DOM element doesn't really return anything. They kinda work on the existing DOM.
Now, in internet explorer, apart from using Bookmarklets to execute some JavaScript on the page, I can write a BHO plugin and inject it in the following way:
document = (HTMLDocument)webBrowser.Document;
var injectedJS = System.IO.File.ReadAllText("InjectedJS.js");
var window = document.parentWindow;
window.execScript("(function(){ " + injectedJS + " })()");
Similarly in chrome, I can write an extension to achieve the same thing:
var s = document.createElement('script');
s.src = chrome.extension.getURL("script.js");
s.onload = function() {
this.parentNode.removeChild(this);
};
(document.head||document.documentElement).appendChild(s);
How are these different?
The high level questions that I have are:
Do these three approaches execute the JavaScript code in different environments?
Is there any limitation to one of them that another one doesn't have?
Is there any difference in the way the result of the execution is presented to the user or is reflected back in browser?
Is there any difference at all between the terms "JavaScript Injection" and "Bookmarklets"? Though I believe JavaScript Injection is an effect and Bookmarklets are a way to achieve that, BHO and Chrome extensions being another.
If assumption in 4 is correct, is there any difference in the way JavaScript is executed using BHO's execScript method or using javascript: protocol in a browser?
1. Do these three approaches execute the javascript code in different environments?
All of these three methods execute JavaScript code in the context of the page. When these methods are compared with each other, you can say that the JavaScript code is executed in the same environment.
Content scripts (Chrome/Opera/Firefox/Safari) run in an environment that is isolated from the web page, so looking from that perspective, the environment is indeed different.
BHOs are a tad different, because unlike the other extension platforms, the extension's language is not JavaScript, but C++, C#, ... The JavaScript code cannot directly access the BHO's native code (unless you implement such a thing yourself), so the environment is certainly "different".
2. Is there any limitation to one of them that another one doesn't have?
Bookmarklets are javascript:... URLs, and nothing more. Browser extensions can directly perform cross-origin HTTP requests, access persistent site-independent storage, etc. If you want to get similar features in a bookmarklet, you need to use an external web service.
Bookmarklets can only be active when they are manually activated by a user. Whether this is an advantage or disadvantage depends on your situation.
The maximum size of a bookmarklet is restricted by the maximum URL length, which is rather small. This limitation can be circumvented by inserting a <script src> tag in the document. The script has to be loaded first, so the execution of the code is delayed.
Bookmarklets can be used in almost every web browser, including the ones on phones and tablets (Chrome extensions can only be used in, well, desktop Chromium browsers).
3. Is there any difference in the way the result of the execution is presented to the user or is reflected back in browser?
No. In all cases, you're running code in the context of the current page. In theory, a page can replace all built-in methods (e.g. Function.prototype.call, String.prototype.replace, ..), and interfere or abuse the functionality of your script.
Possibly worth noting: The Crossrider and Kango extension frameworks implement the "content script" feature for Internet Explorer in a way that is similar to these three methods. This implies that pages can be crafted in such a way that they detect IE plugins written using these frameworks, intercept the API declaration and abuse their features.
4. Is there any difference at all between the terms "Javascript Injection" and "Bookmarklets"? Though I believe Javascript Injection is an effect and Bookmarklets are a way to achieve that, BHO and Chrome extensions being another.
There is no conceptual difference between a bookmarklet and "injected script". There are some practical differences, explained at section 2 of this answer.
(by "injected script", I assume you're referring to this method I coined the term to distinguish between the types of scripts in the Chrome extensions. Opera 12- and Safari both use this term for "content scripts").
5. If assumption in 4 is correct, is there any difference in the way javascript is executed using BHO's execScript method or using javascript: protocol in a browser?
Besides the previously mentioned differences, no.

Can outside developers access closure variables during runtime?

Essentially I want to store a variable in the client that I don't want people viewing or changing.
In the following code example:
(function () {
var foo = 'bar';
})();
Can anybody use tools or the browser to access and/or (more importantly) change the value of foo? Links to more information or tools that might do this would be appreciated. I'll be researching more in the mean time.
Thanks in advance
Yes they can modify the values of foo. As a general rule, if you don't want the client to manipulate the value, don't give them access to it (I.e. put user id's or this type of information in the DOM or client side). You may have to do a bit of state management research, encrypted cookies, sessions or if you're using ASP.NET the ViewState/ViewBag etc.
It is possible to inject javascript into any page, and from there you can manipulate every javascript object/variable on the page. Therefore any data that the javascript is receiving should be encrypted (if security is your concern).
To give you a little hint, try open your developer tools. In chrome, Control-Shift-I. Click the scripts tab, then you will see all the variables the scripts is using. It is possible to double-click anywhere within the script and add/remove pieces of code.
F.Y.I if you are using Firefox, I highly recommend Firebug. It surpasses chrome's dev tools, but I find chrome faster.. At least on my slow laptop (Ubuntu FTW).
Hope this helped

How to run a script embedded in the page in Selenium IDE?

I'm testing a page with Selenium IDE and want to execute a method already in the page. I've tried getEval(window.name.space.function()) but it just returns window.name is undefined. Is this possible?
There is a getCurrentWindow() function which for unfathomable reasons only allows you to access "safe" properties (what is this supposed to protect against? people maliciously doing drive-by testing of other people's website?). Newer versions offer a getUserWindow() function that solves those issues. See this blog entry and this issue for details.

Categories