Modifying client-side scripts
-
Doing homework for an information security course, and there is something I'm not sure of that interests me. Is it possible to modify a script sent from a web server, which then executes on the client's machine? Specifically a sort of login script.
-
You can modify the script in transit on a proxy, or amend it via user scripts in the browser. Not sure which you're looking for?
-
I do this all the time because websites are dumb. Firefox's Web Developer tools allow you to modify any HTML, CSS, JavaScript executing in the browser. There are some websites where I have to re-enable pasting on password fields to support KeePass (specifically the ones that do username and password on separate web pages), and I actually had to disable client-side validation completely on the USPS website to get it to accept my birthdate as valid when I did my change of address form. And occasionally I use it to remove "Please turn off your adblocker" popups on news sites so I can read without getting ad-ed to death.
-
@mott555 said in Modifying client-side scripts:
Firefox's Web Developer tools allow you to modify any HTML, CSS, JavaScript executing in the browser.
Ah yes, that's what I thought!
-
@mott555 said in Modifying client-side scripts:
I actually had to disable client-side validation completely on the USPS website to get it to accept my birthdate as valid
Is your birthday Smarch 32nd?
-
@hungrier said in Modifying client-side scripts:
@mott555 said in Modifying client-side scripts:
I actually had to disable client-side validation completely on the USPS website to get it to accept my birthdate as valid
Is your birthday Smarch 32nd?
USPS probably doesn't believe people live that long
-
@hungrier said in Modifying client-side scripts:
@mott555 said in Modifying client-side scripts:
I actually had to disable client-side validation completely on the USPS website to get it to accept my birthdate as valid
Is your birthday Smarch 32nd?
There was nothing wrong with my birthday. Their date field validation was Bad Codeβ’ and cleared out the date before attempting to validate it, causing it to fail because it was a required field. I removed the bit that emptied the textbox and then everything worked just fine.
-
@Erufael said in Modifying client-side scripts:
homework
At least you're honest with your "plz send teh codes" post. =)
If you want fine grained control, you can use dev tools, debugging and skipping lines. The usual programming.
You can also override the functions completely. Take this for example:
function DoStupidValidation() { if(document.getElementById("idiot") == "idiot") { return true; } else { alert("you have to type idiot to continue because lol."); return false; } } Type idiot in this box to continue because of stupid reasons: <br /> <input type='text' name='idiot' id='idiot' /> <br /> <input type='submit' onclick='javascript:return DoStupidValidation()' value='Ok I Am An Idiot' />
Well, I don't want to type idiot. So I can do this:
DoStupidValidation = function(){return true;};
-
@Lorne-Kates said in Modifying client-side scripts:
At least you're honest with your "plz send teh codes" post.
lol Well. Now that I actually submitted the thing, the question was about Bob wanting to protect stuff on his site with a password, so he used a client side script sent from the web server, and would that protect it or not and why. I thought it was possible to modify a script like that client side, and looks like I was correct. :D
-
@Erufael Why even modify things? If you send your password to the client, you lose by default. You might as well paste it in h1 on your frontpage.
-
@Kuro I assume the question writer meant that it took an imput from the client and compared the input on the server. But yeah, that's... Wow.
-
@Kuro said in Modifying client-side scripts:
@Erufael Why even modify things? If you send your password to the client, you lose by default. You might as well paste it in h1 on your frontpage.
I've seen people try to send a pre-hashed password from the client to the server...
Which really just means that they don't hash the passwords they store in the database.
-
@Erufael said in Modifying client-side scripts:
the question was about Bob wanting to protect stuff on his site with a password, so he used a client side script sent from the web server, and would that protect it or not and why. I thought it was possible to modify a script like that client side, and looks like I was correct.
Bob is an idiot. Post his IP address, and we'll let him know why.
-
<form onsubmit='return checkPassword()';> ... <script type='text/javascript'> function checkPassword() { return document.getElementById("password").value == "hunter2"; } </script>
I'll leave it up as an exercise to the reader to decide if login.php contains a hardcoded "hunter2", or <?php echo getAdminPassword(); ?>.
And yes, I promise you, it's .php
-
@Lorne-Kates said in Modifying client-side scripts:
<form onsubmit='return checkPassword()';> ... <script type='text/javascript'> function checkPassword() { return document.getElementById("password").value == "hunter2"; } </script>
I'll leave it up as an exercise to the reader to decide if login.php contains a hardcoded "hunter2", or <?php echo getAdminPassword(); ?>.
And yes, I promise you, it's .php
HTML5 supports that natively without the need for JavaScript: