December 08, 2007

You really think that can stop me? Another example of secuity through obscurity which is futile.

So the last few nights I have been doing a bit of research on AJAX UX, where I came across a site that I found interesting. I went to "View Source" to see how they were doing something and the darn thing wouldn't let me, with some progammer's brain drain of a secure method to prevent that action. This annoyed me a bit and I decided to figure out what was going on.

This sort of protection shows why security by obscurity is a poor security safeguard. It takes very little to bypass it. Especially since this is code on the client side being rendered. I could of course simply sniff the traffic, but there is a simpler solution which I figured out pretty quick.

My solution? Inject a bit of Javascript into the session and barf out the innerHTML in a popup window. :-)

So the next time you come across somebodies idea of copy protection for web content, try typing this in your URL bar and hit enter:


javascript:window.open( '', '', '' ).document.write( '<textarea cols=80 rows=40>' + document.body.parentNode.innerHTML + '</textarea>' );

Blows by such idiotic protection schemes that gives a false sense of security to the content owner.

Normally, I wouldn't show this sort of thing publicly. I contacted the original site webmaster to explain this attack vector to his code, only to receive a nasty email in poor taste where he referred to me as a "two-bit wannabe hacker that doesn't know what [I am] talking about" (his words... not mine). It's this kind of attitude of many web developers that has me up in arms, and has me feeling its appropriate to show the attack.

Posted by SilverStr at December 8, 2007 10:49 PM | TrackBack
Comments

Or you could just turn off javascript. :)

Posted by: Adam at December 9, 2007 08:40 AM

You are correct, but their technique would stop the majority of less technically inclined users. Perhaps that is all it was intended to do. Just because a method isn't 100% effective doesn't mean you shouldn't do anything.

Corralary - Since NO method is 100% effective you wouldn't suggest no one ever try any type of security.

Posted by: Peter at December 9, 2007 11:53 AM

Peter, that gets Dana out of the two-bit wannabe category then. (heh) Unfortunately, it appears that the author has an emotional investment in the code vice an intellectual one. Those of us in infosec have a term for it: job security.

- joat

Posted by: joat at December 9, 2007 12:02 PM

I also have a disdain for such people. I was recently interviewed by one such individual who was quite secure in their job and didn't want some new kid showing how much they didn't know.

Posted by: mubix at December 10, 2007 07:10 AM

Its even easier than that!

The following shows you not only the full source of the page, but whatever DOM was generated too!

Just add this as a bookmark (er, favorite) to IE (or paste it in the URL)

javascript:'<xmp>'+window.document.body.outerHTML+'</xmp>';

(A reload will return the original page)

It is a Bookmarklet from this page:

http://webbugtrack.blogspot.com/

Which has tons of info on Browser Bugs (and fixes!).

Posted by: Greg at December 10, 2007 07:17 AM

Another technique I found works is this: While the popup is still up, hold down right click on the page. While holding down the right mouse button, press enter to close the popup.

Now release the right mouse button. You'll get the usual right-click menu where you can view source.

This works in Firefox at least.

Posted by: Mike Weller at December 11, 2007 12:02 AM