A practical exercise: fighting maskons
in [JavaScript]
|
From: VK on 8 Nov 2009 05:22 It is in continuation of my post at http://groups.google.com/group/comp.lang.javascript/msg/33e97b0a9ce71503 "the old maskon and demaskonizing problems, see for instance my old post from 2007: http://groups.google.com/group/comp.lang.javascript/msg/65a858c19f383df0 Given a situation with a malicious script that shadows (maskonizes) window.XMLHttpRequest with its own object that fully emulates the native one plus sends copies of each data input to a 3rd party server. Until the malicious library is fully removed from any wide use, out emergency security patch has to ensure that each new XMLHttpRequest is based on the default vendor's constructor and not on some 3rd party runtime maskon. On detecting a maskonized environment the security patch first tries to get the access to the real constructor; if it's not possible on the given platform then warn the user and break the code execution." It seems to me it might be a very useful learning curb about Global, window, their differences and their per platform peculiarities. For people who are not aware about the maskon problem a little sample to work with: var _XHR_ = window.XMLHttpRequest; window.XMLHttpRequest = function() { // Return patched _XHR_ // or XHR emulation over hidden iframe // or many other options, of course // with maskons for all documented // properties and methods of the real // XHR for the given platforms. // Here simply fooling the constructor // behavior for the sake of brevity: var maskon = new _XHR_; maskon._take_the_red_pill_ = true; return maskon; } var a = new window.XMLHttpRequest; var b = new window.XMLHttpRequest; window.alert(a); // XMLHttpRequest window.alert(a == b); // false window.alert(a._take_the_red_pill_); // true </script> P.S. Browser producers did their best to leave us as unprotected as possible against of it, especially IE with its intentionally broken [delete] functionality. Yet the remedy is possible and can be found - but a better one might be suggested. P.P.S. Back in 2007 some "regulars" suggested that red and other pills shows my preoccupation with drugs... For the possible sorry beings who did not seen the "Matrix" movie yet: "red pill" refers to the pill Neo had to take to leave the virtual world for the real one.
From: Stevo on 8 Nov 2009 13:49 VK wrote: > It is in continuation of my post at > http://groups.google.com/group/comp.lang.javascript/msg/33e97b0a9ce71503 > > "the old maskon and demaskonizing problems, see for instance my old > post from 2007: > http://groups.google.com/group/comp.lang.javascript/msg/65a858c19f383df0 You mean the possible problem of someone hijacking XMLHttpRequest ? Nobody's calling this maskonizing. > Given a situation with a malicious script that shadows (maskonizes) http://en.wikipedia.org/wiki/Maskon There's already a perfectly good word that applies to function/object hijacking and it's called hijacking.
From: David Mark on 8 Nov 2009 13:55 On Nov 8, 5:22 am, VK <schools_r...(a)yahoo.com> wrote: > It is in continuation of my post at [snip old post] > > "the old maskon and demaskonizing problems, see for instance my old > post from 2007: [snip another old post] > > Given a situation with a malicious script that shadows (maskonizes) Will you please stop making up words? > window.XMLHttpRequest with its own object that fully emulates the > native one plus sends copies of each data input to a 3rd party server. I'd love to see you try. ;) > Until the malicious library is fully removed from any wide use, out > emergency security patch has to ensure that each new XMLHttpRequest is > based on the default vendor's constructor and not on some 3rd party > runtime maskon. What's a default vendor? > On detecting a maskonized environment the security > patch first tries to get the access to the real constructor; if it's > not possible on the given platform then warn the user and break the > code execution." Pure fantasy. > > It seems to me it might be a very useful learning curb about Global, > window, their differences and their per platform peculiarities. Not time to curb your learning yet. > For people who are not aware about the maskon problem a little sample > to work with: Oh brother. > > var _XHR_ = window.XMLHttpRequest; > window.XMLHttpRequest = function() { > // Return patched _XHR_ > // or XHR emulation over hidden iframe > // or many other options, of course > // with maskons for all documented > // properties and methods of the real > // XHR for the given platforms. > // Here simply fooling the constructor > // behavior for the sake of brevity: > var maskon = new _XHR_; > maskon._take_the_red_pill_ = true; > return maskon; > > } > > var a = new window.XMLHttpRequest; > var b = new window.XMLHttpRequest; > window.alert(a); // XMLHttpRequest > window.alert(a == b); // false > window.alert(a._take_the_red_pill_); // true Congratulations. You augmented a host object with a useless property. > </script> > > P.S. Browser producers did their best to leave us as unprotected as > possible against of it, especially IE with its intentionally broken > [delete] functionality. What spec says it's broken? > Yet the remedy is possible and can be found - > but a better one might be suggested. I suggest you drop it. > > P.P.S. Back in 2007 some "regulars" suggested that red and other pills > shows my preoccupation with drugs... For the possible sorry beings who > did not seen the "Matrix" movie yet: "red pill" refers to the pill Neo > had to take to leave the virtual world for the real one. We are through the looking glass now.
From: VK on 8 Nov 2009 14:22 Stevo wrote: > There's already a perfectly good word that applies to function/object > hijacking and it's called hijacking. Now - possibly yes in some environments. Back in 2006 on the congress it was called "subverting": http://groups.google.com/group/comp.lang.javascript/msg/65a858c19f383df0 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf Same time (2006) I called it "maskon", "maskonizing" and it is called so in my environment. Rather often same thing is called differently in different companies and there is a good reason for it, not really related with programming issues. You may call it in your version - if decide to post - "hijacking", "object spoofing", "object substitution" or however you like: it is irrelevant to the technical matter.
From: VK on 8 Nov 2009 14:29
> > Given a situation with a malicious script that shadows (maskonizes) > > Will you please stop making up words? See my answer to Stevo. > > window.XMLHttpRequest with its own object that fully emulates the > > native one plus sends copies of each data input to a 3rd party server. > > I'd love to see you try. ;) Nothing to try here, it is a trivia. The question is to detect and to repair (where possible). > > Until the malicious library is fully removed from any wide use, out > > emergency security patch has to ensure that each new XMLHttpRequest is > > based on the default vendor's constructor and not on some 3rd party > > runtime maskon. > > What's a default vendor? "default vendor's constructor" > > On detecting a maskonized environment the security > > patch first tries to get the access to the real constructor; if it's > > not possible on the given platform then warn the user and break the > > code execution." > > Pure fantasy. Pure fantasy is what? This way of "hijacking" or a possibility to have a code dealing with it? Please be more specific with your comments. > > It seems to me it might be a very useful learning curb about Global, > > window, their differences and their per platform peculiarities. > > Not time to curb your learning yet. That's a pity. > > For people who are not aware about the maskon problem a little sample > > to work with: > > Oh brother. > > > > > > > var _XHR_ = window.XMLHttpRequest; > > window.XMLHttpRequest = function() { > > // Return patched _XHR_ > > // or XHR emulation over hidden iframe > > // or many other options, of course > > // with maskons for all documented > > // properties and methods of the real > > // XHR for the given platforms. > > // Here simply fooling the constructor > > // behavior for the sake of brevity: > > var maskon = new _XHR_; > > maskon._take_the_red_pill_ = true; > > return maskon; > > > } > > > var a = new window.XMLHttpRequest; > > var b = new window.XMLHttpRequest; > > window.alert(a); // XMLHttpRequest > > window.alert(a == b); // false > > window.alert(a._take_the_red_pill_); // true > > Congratulations. You augmented a host object with a useless property. OK, if pretending to be stupid is your game in this group, I am not helping you to play it. |