The ingenuity of these exploits will never cease to amaze me.
I've found a few in my time, but nothing ever this cunning.
I once figured out that an auction site had a bug allowing a small snippet of HTML in their usernames. I changed my username so that when I bid on an item and my username was displayed on the page it hid the bid button so that no-one else could bid and I won every item for the minimum bid. That didn't last long. I got banned and got a very amusing letter in the mail from the managing director saying "Nice try, old chap."
Someone was trying to register an account on AliExpress. They were getting a message saying their last name was a banned word; I didn't ever figure out why it was banned. Perhaps because I could tell that the check was happening dynamically via JavaScript, I took a chance and opened up the browser dev tools. Nerd sniping accomplished. After some digging, I determined that the check was only being enforced client-side. I figured out what I needed to run in the console and/or change in the code to disable it, did so, and we were able to register the account.
I walked away shaking my head that it was even possible for me to do that. Also with an appreciation for how powerful the built-in dev tools are in modern browsers.
I try to do that all the time to disable or modify annoying JS features but it's so hard now that everybody minimizes their libraries. Any tips to deal with this?
Often you can think of how the code you want to stop probably works and then bypass it a different way.
Change the id/classes on the element that code applies to.
Make a copy of the elements, delete the original, and insert the copy. Then reimplement any JS that's actually needed yourself. Use fetch API if you need an original version of the HTML before JS.
Override getters/setters of properties on elements/nodes. The offending JS can make all the calls it wants but that doesn't matter if you control what the calls do. (Or similar redefinition/extension/hooking of base JS classes).
Web 2.0/widespread use of closures/minification/libraries like React made userscripting a lot more work. It was nice when you could easily hook/wrap anything :(
For those who didn't read the article and wondering why you would use svg fonts which are supported only in safari vs the usual technique of woff which is supported everywhere,its because svg allows bypassing csp restrictions if its embedded in same document.
I'm personally kind of surprised that you can have font-src: 'none' in csp, but still allow specifying an svg font as #foo to load from same document without violating csp. I kind of thought you'd need 'self' or something. data: is already banned by this type of policy.
10 comments
[ 3692 ms ] story [ 140 ms ] threadI've found a few in my time, but nothing ever this cunning.
I once figured out that an auction site had a bug allowing a small snippet of HTML in their usernames. I changed my username so that when I bid on an item and my username was displayed on the page it hid the bid button so that no-one else could bid and I won every item for the minimum bid. That didn't last long. I got banned and got a very amusing letter in the mail from the managing director saying "Nice try, old chap."
Someone was trying to register an account on AliExpress. They were getting a message saying their last name was a banned word; I didn't ever figure out why it was banned. Perhaps because I could tell that the check was happening dynamically via JavaScript, I took a chance and opened up the browser dev tools. Nerd sniping accomplished. After some digging, I determined that the check was only being enforced client-side. I figured out what I needed to run in the console and/or change in the code to disable it, did so, and we were able to register the account.
I walked away shaking my head that it was even possible for me to do that. Also with an appreciation for how powerful the built-in dev tools are in modern browsers.
Change the id/classes on the element that code applies to.
Make a copy of the elements, delete the original, and insert the copy. Then reimplement any JS that's actually needed yourself. Use fetch API if you need an original version of the HTML before JS.
Override getters/setters of properties on elements/nodes. The offending JS can make all the calls it wants but that doesn't matter if you control what the calls do. (Or similar redefinition/extension/hooking of base JS classes).
Web 2.0/widespread use of closures/minification/libraries like React made userscripting a lot more work. It was nice when you could easily hook/wrap anything :(
[0]: https://addons.mozilla.org/en-US/firefox/addon/ditm/
I'm personally kind of surprised that you can have font-src: 'none' in csp, but still allow specifying an svg font as #foo to load from same document without violating csp. I kind of thought you'd need 'self' or something. data: is already banned by this type of policy.