Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Browser plugin scanner
Posted by: beaule
Date: January 31, 2007 03:52AM

Hello all,
i'm reading this site every day and it's very interesting.
But i've found no topic about Browser plugin scanner (like skype web toolbar).
The plugin scans the content of the page and replace some peace of code with another
(for example a phone number by the phone and the name of the user from the skype database)

How can we avoid this kind of plugin by modifying the code of applications?

Options: ReplyQuote
Re: Browser plugin scanner
Posted by: beaule
Date: February 01, 2007 02:46AM

(Re)hello,
After some reflection, a protection for this kind of problem can be:
1) Some IE, firefox plugin scan the content of your web page and modify it
(for example skype which replace phone number in a page by a skype link)
2) Of course there is no real security issue(because it's skype) but skype replaces, sometimes, account numbers in financial application!!!
The financial application seems to be not secure for novice users!!!!
3) This kind of plugin change the DOM of your page, so a solution can be:
- Server side encoding of the web page (on server side)
- Javascript encoding of the webpage and compare the Hash
- if hash are differents, alert to the user : "A plugin in your navigator accesses and modifies your page!!!"

Another approach?
(The problem is the hash in javascript is very slow...)
Thanks all

Options: ReplyQuote
Re: Browser plugin scanner
Posted by: trev
Date: February 01, 2007 07:34AM

JavaScript doesn't have access to the source code of the page, only the DOM. So the only thing you can run a checksum function on is serialized DOM. But you don't have any guarantees about how the serialized DOM will look like - e.g. it might use single or double quotes, it might put the type attribute before the value attribute or the other way around and so on. Even if you serialize the DOM yourself using JavaScript there will be differences because e.g. Internet Explorer has a very different (non-standard) implementation of attributes. For example, if the user enters something in a text field in Internet Explorer it changes the value attribute - something that will be reported as a modification. To sum it up: that won't work.

But you could try using mutation events (http://www.w3.org/TR/DOM-Level-3-Events/events.html#Events-eventgroupings-mutationevents). That won't work in Internet Explorer but other browsers will tell you reliably when the DOM of your document is being modified.

Options: ReplyQuote
Re: Browser plugin scanner
Posted by: beaule
Date: February 01, 2007 08:08AM

Thanks very much for your response...
I've tried this kind of things but IE is used most of the time...

Do you know other solution to avoid a IE plugin or a firefox extension to modify my document? (browser settings, ?? ..)

I think browser do not allow plugin or extension to modify https web pages...?

Maybe i miss something but i don't understand why nobody on the internet is speaking about this king of problem?

Many financial or commercial website would have the same problem...

Options: ReplyQuote


Sorry, only registered users may post in this forum.