A notch above a monkey

Laughable Javascript security

Building a secure web application is not easy, unless you also use 3rd party code such as Facebook’s Like widget in which case it is impossible. What you have is just an illusion of security, a door to abuse that you can’t even check if it is currently closed.

Or that’s what I thought for years. A once substantiated belief that grew into an almost dogmatic certainty until I recently got a chance to revisit it when trying to design a secure Javascript-based web application living inside of a likely untrusted environment.

There are obvious things you can do to protect your application such as delivery over secure connections and use of anonymous functions to sandbox your code from outside interference. However you will probably need to interact with external code at some point in which case is that XMLHTTPRequest object you are using really the built-in one or has it been replaced (cloaked) with an impostor object to perform the man-in-the-middle attack ?

I don’t know of a way to check if an object is untouched. What is sometimes used instead is a .toString method which on functions and methods returns their source unless they are native to browser in which case it returns a string saying so.

Since you can replace any attribute and method on any object some go even further in search of a certainty and use .toString from the Function object.

At first thought that looked clever until I came up with:

  1. <!DOCTYPE HTML>
  2. <html lang="en">
  3. <head>
  4. <meta charset="UTF-8">
  5. <title>Break check if function is native</title>
  6. </head>
  7. <body>
  8. <script>
  9. (function () {
  10. var toS = Function.prototype.toString,
  11. pM_str = window.postMessage.toString();
  12. Function.prototype.toString = function () {
  13. return this === window.postMessage ? pM_str : toS.call(this);
  14. }
  15. window.postMessage = function () { console.log('Fake'); };
  16. })();
  17. </script>
  18. </body>
  19. </html>
  20. Download this code: /code/nativecheck.txt

The code above replaces Function’s .toString method with a one that lies when executed on an also cloaked window.postMessage . Instead of displaying source of the new postMessage it prints whatever browser would print for the original one.

It simultaneously demonstrates how you can cloak native Javascript objects and hide that you are doing it. If you put malicious code into an anonymous function and remove <script> node that added it after it gets executed, then there is no way for scripts loading later to know that it happened. There will be no traces of crime.

It might be difficult to cloak literals like {} and [], but you certainly can their methods so even if your code is wrapped in an anonymous function, it isn’t really secured from outside peeking and poking. Hence you even can’t trust your own code .

Turns out that this particular dogma is also true. Depressing.

Adieu mes amis

When I write here I mostly do it for me and I mean that in an almost literal sense. My readers were quiet and few. They were also mostly Google Reader users or at least that’s how I imagined them. I certainly was.

Greader’s shutdown meant forgotten accounts would be wiped out together with ghostly presence of their long gone owners. Those still around would be looking for a new reading home and may have seen this as a good time for late spring feed pruning.

I wanted to say good bye before they did, but got my timing horribly wrong. Delayed too long until server running this website died. By the time it was up again, Greader wasn’t anymore.

Sometimes you get to the station too late. The train has left and goodbyes remain unsaid. But then I remember I never actually knew if anybody would be on that train. So nothing really changed.

Prism

Only brains twisted in a pretzel can be completely fine with sweeping lightly-overseen secret surveillance of society, but feel personal freedoms are tyrannically trampled when soda cups are limited to sizes smaller than a bucket or when city bikes are introduced.

Whoever thinks losing privacy is fine because he has nothing to hide, is either seriously lacking imagination, an idiot or both.