I seem to remember trying this (passing {scope:'/'} in the register call), and it doesn't work. Some googling seems to agree: "Service Workers are restricted by the path of the Service Worker script unless the…
ServiceWorkers are scoped to the basename of the path they are served from, so you could only intercept a small subset of all possible CDN URLs. In the example, this would be resources under `/hads-ak-xat1/t45.1600-2/`.…
I mucked with this a while back. You can dump all your passwords over the websocket pretty easily (provided your 1password is unlocked): https://gist.github.com/joevennix/438782cbe447e86f2506 It would be more…
Out of curiosity, did you actually replace the Browser app, or did you just install a new one? If the stock Browser is still installed, you may consider the fact that it can probably be launched from Chrome with a…
> If I want to style my button, I set some properties on the button. You cannot be serious. A 1000+ line long setup() method that creates a ton of one-off elements, sets a million properties, and saves them all as…
> Yes, there is more memory available than before, but that doesn't mean we should just waste it for useless stuff. I disagree. I think the point is that it's not useless, by its own existence. It saves dev time (which…
Obligatory: http://jsfiddle.net/jrxvw1yd/ Compiled through emscripten to build a JS interpreter in a browser... at only 1.5MB!
> Apple wants to relegate websites to second-class status on their popular computers, and exercises viewpoint censorship on what “apps” they allow in their “app store”. I don't remember it that way all. Does anyone…
Can you list some native UI controls that you'd like to use but can't recreate in HTML? I am writing a similar framework and would like to know the use-cases for doing this. Edit: besides Window and Menu, of course
/bin/sh depends on the system. It might be busybox or a minimal shell (this is common on embedded devices). On some systems like OSX and I think CentOS /bin/sh is just bash. You can check with `/bin/sh --version`.
My understanding is that Chrome replaced Webkit in WebView's internal implementation in 4.4, so the bug should never appear in 4.4.
I didn't test back this far; I should have, it's about 10% of android users. I tested back to 4.0 (not that 4.0-4.1.2 being vulnerable matters much, since you can get remote code execution easily through the…
I don't know the exact location, but it is probably somewhere in the webview tree, since it affects apps that embed webviews as well: https://android.googlesource.com/platform/frameworks/base/+/...
I wish I had tested this sooner, but yes, Webview is vulnerable (use document.write(document.domain) instead of alert() to test). So afaict apps that embed webview/ads on < 4.4 are at risk.
Actually X-Frame-Options does not save you here. There is a BYPASS_XFO datastore option in the module that turns this into a one-click exploit. This allows the attack to work against sites with the XFO header.
> I guess as a developer you would be using Canary Chrome vs. Nightly Firefox, to get the latest Not always. As a developer I use the latest stable Firefox, since that's what I can recommend to my users.
Wow, this just makes me love America's Test Kitchen even harder. Edit: and it's served from a statically-generated jekyll blog that is on their github page. Did I mention they have a github account. Very random and…
To be fair, there is a large disclaimer: > I'd like to start this post with a disclaimer: I don't know much about creating accessible websites.
It's still a much, much safer model than Firefox's Add-ons.
http://lcamtuf.coredump.cx/clickit/
Unfortunately x-frame-options does not always fix these kinds of problems. If you can get the user to click more than once on your page, you can open a tab in the background on the first click (google for popunder.js),…
Heh. I clicked a few before I realized what was going on (looking at the status bar shows the link, which somewhat gives it away). You could prevent this by adding mouseover/out and onclick logic that removed the :href…
Nah, you just set target="iframe name" on the form and post into a (hidden) iframe. Then in 2 seconds you redirect to LinkedIn. In my experience, getting clicks from targets is easy. One simple way is to show a page…
Not really. Depending on the protocol CSRFs are often an easy 1-click exploit on noscript-enabled browsers. Something like this: <form enctype='text/plain' method=post action='http://192.168.1.1/vulnerable'> <input…
There is no advantage. In fact, it's more annoying when you're debugging, since you don't get the fn name in the trace.
I seem to remember trying this (passing {scope:'/'} in the register call), and it doesn't work. Some googling seems to agree: "Service Workers are restricted by the path of the Service Worker script unless the…
ServiceWorkers are scoped to the basename of the path they are served from, so you could only intercept a small subset of all possible CDN URLs. In the example, this would be resources under `/hads-ak-xat1/t45.1600-2/`.…
I mucked with this a while back. You can dump all your passwords over the websocket pretty easily (provided your 1password is unlocked): https://gist.github.com/joevennix/438782cbe447e86f2506 It would be more…
Out of curiosity, did you actually replace the Browser app, or did you just install a new one? If the stock Browser is still installed, you may consider the fact that it can probably be launched from Chrome with a…
> If I want to style my button, I set some properties on the button. You cannot be serious. A 1000+ line long setup() method that creates a ton of one-off elements, sets a million properties, and saves them all as…
> Yes, there is more memory available than before, but that doesn't mean we should just waste it for useless stuff. I disagree. I think the point is that it's not useless, by its own existence. It saves dev time (which…
Obligatory: http://jsfiddle.net/jrxvw1yd/ Compiled through emscripten to build a JS interpreter in a browser... at only 1.5MB!
> Apple wants to relegate websites to second-class status on their popular computers, and exercises viewpoint censorship on what “apps” they allow in their “app store”. I don't remember it that way all. Does anyone…
Can you list some native UI controls that you'd like to use but can't recreate in HTML? I am writing a similar framework and would like to know the use-cases for doing this. Edit: besides Window and Menu, of course
/bin/sh depends on the system. It might be busybox or a minimal shell (this is common on embedded devices). On some systems like OSX and I think CentOS /bin/sh is just bash. You can check with `/bin/sh --version`.
My understanding is that Chrome replaced Webkit in WebView's internal implementation in 4.4, so the bug should never appear in 4.4.
I didn't test back this far; I should have, it's about 10% of android users. I tested back to 4.0 (not that 4.0-4.1.2 being vulnerable matters much, since you can get remote code execution easily through the…
I don't know the exact location, but it is probably somewhere in the webview tree, since it affects apps that embed webviews as well: https://android.googlesource.com/platform/frameworks/base/+/...
I wish I had tested this sooner, but yes, Webview is vulnerable (use document.write(document.domain) instead of alert() to test). So afaict apps that embed webview/ads on < 4.4 are at risk.
Actually X-Frame-Options does not save you here. There is a BYPASS_XFO datastore option in the module that turns this into a one-click exploit. This allows the attack to work against sites with the XFO header.
> I guess as a developer you would be using Canary Chrome vs. Nightly Firefox, to get the latest Not always. As a developer I use the latest stable Firefox, since that's what I can recommend to my users.
Wow, this just makes me love America's Test Kitchen even harder. Edit: and it's served from a statically-generated jekyll blog that is on their github page. Did I mention they have a github account. Very random and…
To be fair, there is a large disclaimer: > I'd like to start this post with a disclaimer: I don't know much about creating accessible websites.
It's still a much, much safer model than Firefox's Add-ons.
http://lcamtuf.coredump.cx/clickit/
Unfortunately x-frame-options does not always fix these kinds of problems. If you can get the user to click more than once on your page, you can open a tab in the background on the first click (google for popunder.js),…
Heh. I clicked a few before I realized what was going on (looking at the status bar shows the link, which somewhat gives it away). You could prevent this by adding mouseover/out and onclick logic that removed the :href…
Nah, you just set target="iframe name" on the form and post into a (hidden) iframe. Then in 2 seconds you redirect to LinkedIn. In my experience, getting clicks from targets is easy. One simple way is to show a page…
Not really. Depending on the protocol CSRFs are often an easy 1-click exploit on noscript-enabled browsers. Something like this: <form enctype='text/plain' method=post action='http://192.168.1.1/vulnerable'> <input…
There is no advantage. In fact, it's more annoying when you're debugging, since you don't get the fn name in the trace.