PDA

View Full Version : A Llittle Help



g1eek
09-14-2012, 06:01 PM
i am a mod on a page that we stream videos from youtube into a chat environment and we were hit with a nasty attack for no apparent reason.
they used a bit of JS in a firefox addon called scriptish to overload our chat and then proceeded to delete every thing from the playlist we had built.

i found the attack code but i need help coming up with something to prevent it from happening again
this is the code:

(function namespam() {
var chars = "abcdefghijklmnopqrstuvwxyz";
var string_length = 99;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1); }
socket.send_cmd("<",randomstring);
socket.send_cmd("nick"," ");
Message.hardClear();
setTimeout(namespam,1);})();


if anyone has any ideas id greatly appreciate it if you helped
thanks,

jscheuer1
09-14-2012, 06:33 PM
If it's Firefox they're using, this placed at the beginning of your first javascript for the page or as the code of a javascript you place first on the page, might stop it:


const namespam = 0;

You could also try:


setInterval(function(){namespam = function(){};}, 1);

However, even if one of these works, all they would have to do is change the name of the function and it would work again.

What's the socket? Is it something on your end? Regardless, you could also try redefining it:


const socket = {};

To prevent errors in other browsers, you may need to encapsulate the code(s) you use in try/catch, ex:


try{const socket = {};}catch(e){}

traq
09-14-2012, 08:08 PM
obviously, I couldn't offer a solution without knowing a lot more about your code and how things are organized on your server... however, what I can say is that you should not be allowing anything a user does to impact the server in this way. If a user sends a command to delete something, you need to be checking that the particular user is authenticated, and authorized to delete things, not just automatically deleting them. Until you change that, you will not be able to solve anything.

djr33
09-14-2012, 08:59 PM
Javascript operates in the browser, and your visitors can do absolutely anything they'd like. There's no such thing as Javascript "security" (or a lack of security) because they can, if they want, change the Javascript code itself.
However, they can only do this on their own computer. They can change the background color of your page, or remove all of the chat messages, or do anything else, but again-- only for them, on their own computer. Javascript cannot make any of that occur on the server and therefore not so that it will affect any other users (or your original files, etc.).

If anything is happening like you described, then:
1) It needs to be fixed in the serverside code. This might be PHP, for example.
2) It shouldn't be allowed-- there's a badly written serverside script used to interpret commands from JS that is now giving the user too much control.

There are several possible ways to fix this, but you'll need to address (1) and (2) above to work it out. I can't tell from your post exactly what the security flaw is, but some ideas are:
--limiting the number of requests per second from an individual
--filtering out certain commands (or better yet, just allowing a certain list of "approved" commands)