Re: OT, but stil.
On Sep 4, 2014 5:04 PM, "Dave Watts" wrote: > This is exactly how user scripts work. They are installed by the user > in some fashion, and can control browser functionality. This is how > online password managers work, how Greasemonkey works, etc, etc, etc. > If a user installs malware, of course that malware can do this sort of > thing. There's nothing magically sacrosanct in HTTP or HTML to prevent > this sort of thing. A Content Security Policy that blocks inline scripts will block some local malware too. It may for instance block bookmarklets, but not Greasemonkey. Jochem ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359240 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
>>If you do find a way to detect all scripts running on a page I would be very interested in seeing how it works. At least you could then inform the user that there are unwanted processes running in the browser. I'm working on that, may be not for all visitors, but at least for administrators on my customers sites, because the consequences of an attack is greater. So far I'm considering two approaches: 1. find all
Re: OT, but stil...
> I can understand that a plugin can run a script when a page is loaded, but it > is absolutely stupid this script can be part > of the page and have all privileges granted to the user after a legitimate > authentication. The script could run by itself, but > have no access to the DOM and not be able to read or define cookies from the > original domain. Well, that's the way user scripts work, and how they've always worked. I'm not sure what to tell you beyond that. That's the whole point of user scripts - to have access to the DOM, etc. Greasemonkey has been around since 2005. And this approach follows the basic model of the web itself - in the beginning, the intent was for users to control the appearance of logical formatting tags (h1, etc) with local style configurations. The problem you're having is the basic problem that the user's own machine has to be accepted as trustworthy. If that isn't the case, all bets are off. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359238 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: OT, but stil...
>> is absolutely stupid this script can be part of the page and have all privileges >> granted to the user after a legitimate authentication. Not when you consider that the script was added to YOUR page even before the browser renders it. Think of it like a proxy in that the proxy added the (unwanted) scripts before it passed it to the actual browser rendering and scripting engine. To the browser it looks like your site sent it. This is one of the ways the Russian hackers accumulated over a billion credentials. Believe me, I share your concern which is why I never login to any of my accounts from an unknown browser or PC. The alternative is to go off like Gene Hackman's character in the Conversation. If you do find a way to detect all scripts running on a page I would be very interested in seeing how it works. At least you could then inform the user that there are unwanted processes running in the browser. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359237 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: struct not recognized as such
You know, for a ColdFusion Developer who has been in this business for 15 years, you sure do ask questions that you really should know by now. Order_Info_Struct is not a structure when it's being passed. Find out why. On Thu, Sep 4, 2014 at 1:26 PM, Matthew Smith wrote: > > The ORDER_INFO_STRUCT argument passed to the show_payment_method function > is not of type struct. > > Shows as such though: > > struct ATTRIBUTES_SCOPE structCFID51604885 CFTOKEN6319 FUSEACTION > SECUREORDERAPP.orderreview PayerIDL7DMX2AYUGYYG SHOW_CHANGES0 > SUPPRESSLAYOUT > 1 onRequestStarttrue tokenEC-8MT53877XA8883547 > Regards, > chedder is bedder > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359236 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
struct not recognized as such
The ORDER_INFO_STRUCT argument passed to the show_payment_method function is not of type struct. Shows as such though: struct ATTRIBUTES_SCOPE structCFID51604885 CFTOKEN6319 FUSEACTION SECUREORDERAPP.orderreview PayerIDL7DMX2AYUGYYG SHOW_CHANGES0 SUPPRESSLAYOUT 1 onRequestStarttrue tokenEC-8MT53877XA8883547 Regards, chedder is bedder ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: OT, but stil...
Yeah... I'd do it myself if I could get good wireless :D -Original Message- From: Claude Schnéegans [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans >close up shop and move to a cabin in Montana That's the best suggestion I got on that matter ;-) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359234 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
>>There's nothing magically sacrosanct in HTTP or HTML to prevent this sort of thing. You're right, but as a developper, I have to modify my code every day, because every day comes up a new version in which something has been cancelled or disabled, like accessing the clipboard by Javascript, or such function because "it was too dangerous", and here I discover that any one can have a script run in my page just like if I wrote it myself :-( I can understand that a plugin can run a script when a page is loaded, but it is absolutely stupid this script can be part of the page and have all privileges granted to the user after a legitimate authentication. The script could run by itself, but have no access to the DOM and not be able to read or define cookies from the original domain. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359233 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
>>close up shop and move to a cabin in Montana That's the best suggestion I got on that matter ;-) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359232 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: OT, but stil...
> >>so it becomes a part of the client side page request > "against your will" as it were. > > Yes, but this rises a question: > If my window.onerror can get events from some plugin code, this means that > this code is embeded and is treated as if it belonged to my window. > Thus, it has access to everything in my window, including the document, > forms, input fields in the forms, even those containing passwords, etc. > > What kind of breach is that? This is exactly how user scripts work. They are installed by the user in some fashion, and can control browser functionality. This is how online password managers work, how Greasemonkey works, etc, etc, etc. If a user installs malware, of course that malware can do this sort of thing. There's nothing magically sacrosanct in HTTP or HTML to prevent this sort of thing. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: OT, but stil...
Claude, There is literally nothing (not a single thing) that is "off limits" on the client side. You cannot trust or believe the browser is in any way shape or form a secure environment and you must assume that things like cookies can and will be hacked and experimented with. This is why it is important that variables be tied to temporary entities on the client side (like expiring session cookies) as you mention below. Beyond that your conclusions are correct and scary - but the alternative is probably to close up shop and move to a cabin in Montana :) -Mark -Original Message- From: Claude Schnéegans [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans >They don't call it Malware for nothing Ok, but if a malware does "mal" to a moron client side, in a pinch, this is not our problem, but if it can get pass words so easily, it can also do mal to any server any time. I just got one tonite that allows itself to define cookies under MY domain! If it can store cookies, it can also read cookies, including session cookies! With the session Id, it does not even need the password. I'd like to detect all pieces of javascript code defined in a document and check if they are mine. I was thinking of document.getElementsByTagName, but I'm not even sure all parasit code will actually have a
