A practical exercise: fighting maskons

[VK]

It is in continuation of my post at
http://groups.google.com/group/comp.lang.javascript/msg/33e97b0a9ce71503

"the old maskon and demaskonizing problems, see for instance my old
post from 2007:
http://groups.google.com/group/comp.lang.javascript/msg/65a858c19f383df0

Given a situation with a malicious script that shadows (maskonizes)
window.XMLHttpRequest with its own object that fully emulates the
native one plus sends copies of each data input to a 3rd party server.
Until the malicious library is fully removed from any wide use, out
emergency security patch has to ensure that each new XMLHttpRequest is
based on the default vendor's constructor and not on some 3rd party
runtime maskon. On detecting a maskonized environment the security
patch first tries to get the access to the real constructor; if it's
not possible on the given platform then warn the user and break the
code execution."

It seems to me it might be a very useful learning curb about Global,
window, their differences and their per platform peculiarities.
For people who are not aware about the maskon problem a little sample
to work with:

var _XHR_ = window.XMLHttpRequest;
window.XMLHttpRequest = function() {
// Return patched _XHR_
// or XHR emulation over hidden iframe
// or many other options, of course
// with maskons for all documented
// properties and methods of the real
// XHR for the given platforms.
// Here simply fooling the constructor
// behavior for the sake of brevity:
var maskon = new _XHR_;
maskon._take_the_red_pill_ = true;
return maskon;
}

var a = new window.XMLHttpRequest;
var b = new window.XMLHttpRequest;
window.alert(a); // XMLHttpRequest
window.alert(a == b); // false
window.alert(a._take_the_red_pill_); // true
</script>

P.S. Browser producers did their best to leave us as unprotected as
possible against of it, especially IE with its intentionally broken
[delete] functionality. Yet the remedy is possible and can be found -
but a better one might be suggested.

P.P.S. Back in 2007 some "regulars" suggested that red and other pills
shows my preoccupation with drugs... For the possible sorry beings who
did not seen the "Matrix" movie yet: "red pill" refers to the pill Neo
had to take to leave the virtual world for the real one.

 

[Stevo]

It is in continuation of my post at
http://groups.google.com/group/comp.lang.javascript/msg/33e97b0a9ce71503

"the old maskon and demaskonizing problems, see for instance my old
post from 2007:
http://groups.google.com/group/comp.lang.javascript/msg/65a858c19f383df0

You mean the possible problem of someone hijacking XMLHttpRequest ?
Nobody's calling this maskonizing.

Given a situation with a malicious script that shadows (maskonizes)

http://en.wikipedia.org/wiki/Maskon

There's already a perfectly good word that applies to function/object
hijacking and it's called hijacking.

 

[David Mark]

It is in continuation of my post at

[snip old post]

"the old maskon and demaskonizing problems, see for instance my old
post from 2007:

[snip another old post]

Given a situation with a malicious script that shadows (maskonizes)

Will you please stop making up words?

window.XMLHttpRequest with its own object that fully emulates the
native one plus sends copies of each data input to a 3rd party server.

I'd love to see you try.

Until the malicious library is fully removed from any wide use, out
emergency security patch has to ensure that each new XMLHttpRequest is
based on the default vendor's constructor and not on some 3rd party
runtime maskon.

What's a default vendor?

On detecting a maskonized environment the security
patch first tries to get the access to the real constructor; if it's
not possible on the given platform then warn the user and break the
code execution."

Pure fantasy.

It seems to me it might be a very useful learning curb about Global,
window, their differences and their per platform peculiarities.

Not time to curb your learning yet.

For people who are not aware about the maskon problem a little sample
to work with:

Oh brother.

var _XHR_ = window.XMLHttpRequest;
window.XMLHttpRequest = function() {
 // Return patched _XHR_
 // or XHR emulation over hidden iframe
 // or many other options, of course
 // with maskons for all documented
 // properties and methods of the real
 // XHR for the given platforms.
 // Here simply fooling the constructor
 // behavior for the sake of brevity:
 var maskon = new _XHR_;
 maskon._take_the_red_pill_ = true;
 return maskon;

}

var a = new window.XMLHttpRequest;
var b = new window.XMLHttpRequest;
window.alert(a); // XMLHttpRequest
window.alert(a == b); // false
window.alert(a._take_the_red_pill_); // true

Congratulations. You augmented a host object with a useless property.

</script>

P.S. Browser producers did their best to leave us as unprotected as
possible against of it, especially IE with its intentionally broken
[delete] functionality.

What spec says it's broken?

Yet the remedy is possible and can be found -
but a better one might be suggested.

I suggest you drop it.

P.P.S. Back in 2007 some "regulars" suggested that red and other pills
shows my preoccupation with drugs... For the possible sorry beings who
did not seen the "Matrix" movie yet: "red pill" refers to the pill Neo
had to take to leave the virtual world for the real one.

We are through the looking glass now.

 

[VK]

There's already a perfectly good word that applies to function/object
hijacking and it's called hijacking.

Now - possibly yes in some environments. Back in 2006 on the congress
it was called "subverting":
http://groups.google.com/group/comp.lang.javascript/msg/65a858c19f383df0
http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf
Same time (2006) I called it "maskon", "maskonizing" and it is called
so in my environment. Rather often same thing is called differently in
different companies and there is a good reason for it, not really
related with programming issues. You may call it in your version - if
decide to post - "hijacking", "object spoofing", "object substitution"
or however you like: it is irrelevant to the technical matter.

 

[VK]

Given a situation with a malicious script that shadows (maskonizes)

Will you please stop making up words?

See my answer to Stevo.

I'd love to see you try.  

Nothing to try here, it is a trivia. The question is to detect and to
repair (where possible).

What's a default vendor?

"default vendor's constructor"

Pure fantasy.

Pure fantasy is what? This way of "hijacking" or a possibility to have
a code dealing with it? Please be more specific with your comments.

Not time to curb your learning yet.

That's a pity.

Oh brother.






Congratulations.  You augmented a host object with a useless property.

OK, if pretending to be stupid is your game in this group, I am not
helping you to play it.

 

[Luuk]

David Mark schreef:

We are through the looking glass now.

I surely do have to see that movie again.....

 

[David Mark]

See my answer to Stevo.

Saw it. Did you click that Wiki link? Then try Google. Then realize
it is better to use terms that exist for your audience. The audience
is not privy to your imagination.

Oh wait, there is a maskon:-

http://www.maskon.com/

Nothing to try here, it is a trivia. The question is to detect and to
repair (where possible).

And you've got neither the question nor the answer straight. Can we
leave it at that? You could have left it at that ten years ago
without detracting one bit from this group. All you do is confuse
newcomers, who are usually confused enough to begin with.

"default vendor's constructor"

It's just confusing. Though this is bit more clear than the rest of
it.

Pure fantasy is what? This way of "hijacking" or a possibility to have
a code dealing with it? Please be more specific with your comments.

The possibility that your posts are not a complete waste of time.

That's a pity.

After ten years. Yes.

 

[VK]

Then realize
it is better to use terms that exist for your audience.  The audience
is not privy to your imagination.

The definition of what is "maskon" was given in the original post.
Again, you can use any term you like or just "the topic of the
conversation".

All you do is confuse
newcomers, who are usually confused enough to begin with.

Since when knowing the real system behavior became a synonym of
"confusion"? From the other side we already had the Flat Earth Society
( http://en.wikipedia.org/wiki/Flat_Earth_Society ), maybe it's time
for the Global Equals Window Society ?

It's just confusing.  Though this is bit more clear than the rest of
it.





The possibility that your posts are not a complete waste of time.

Then you don't mind I guess if I use for vulnerability samples My
Library? I used
http://www.cinsoft.net/mylib-builder.asp
to get Ajax + Requester only and it fits well for demonstration
purposes as totally maskon unprotected.
Only if you don't mind of course.

 

[David Mark]

The definition of what is "maskon" was given in the original post.
Again, you can use any term you like or just "the topic of the
conversation".


Since when knowing the real system behavior became a synonym of
"confusion"?

Which "real system" is that? The one you've built up in your head
(and regurgitated all over this NG) over the years, despite the public
outcry?

From the other side we already had the Flat Earth Society
(http://en.wikipedia.org/wiki/Flat_Earth_Society), maybe it's time
for the Global Equals Window Society ?

Who said anything about "Global Equals Window?"

Then you don't mind I guess if I use for vulnerability samples My
Library? I used
 http://www.cinsoft.net/mylib-builder.asp
to get Ajax + Requester only and it fits well for demonstration
purposes as totally maskon unprotected.
Only if you don't mind of course.

Why should I mind? I'd prefer if you conducted your demonstration in
another NG, but I'm sure you'll carry on here.

 

[VK]

Who said anything about "Global Equals Window?"

the Books Of ECMA, Chapter 10, "Global Object":
"in the HTML document object model the window property of the global
object is the global object itself".

Though as a not true believer I might be not bellyfeeling the text so
cannot perceive it properly, this is why it sounds to me as a DUI
(documenting under influence

Why should I mind?

Thank you

 

[David Mark]

the Books Of ECMA, Chapter 10, "Global Object":
"in the HTML document object model the window property of the global
object is the global object itself".

How many times do we have to go over this? That sentence is not part
of the ECMAScript specification. It doesn't have anything to do with
the language. A clue is that it refers to an "HTML document object
model" (and ECMAScript defines no host objects). Furthermore, there
is no standard specification for browsers that says that window must
refer to the Global Object.

 

[VK]

Who said anything about "Global Equals Window?"

How many times do we have to go over this? That sentence is not part
of the ECMAScript specification.

The definition of the Global Object is not a part of the Books? Thou
shalt not blaspheme!

10.1.5 Global Object
There is a unique global object (15.1), which is created before
control enters any execution context.
Initially the global object has the following properties:
• Built-in objects such as Math, String, Date, parseInt, etc. These
have attributes { DontEnum }.
• Additional host defined properties. This may include a property
whose value is the global object
itself; for example, in the HTML document object model the window
property of the global object is
the global object itself.

It doesn't have anything to do with
the language. A clue is that it refers to an "HTML document object
model" (and ECMAScript defines no host objects). Furthermore, there
is no standard specification for browsers that says that window must
refer to the Global Object.

It just because no one touched it for years. W3C once tried to
document Window but realized that there is nothing "revolutionary" to
announce in here, just carefully document the existing usage - and
that was totally against the whole nature of the "Old W3C". So they
arrived to the Working Draft and then dropped it back in 2006:
http://www.w3.org/TR/Window/
so moved on a free territory where they could have more fun, so we
became "happy owners" of AbstractView and document.defaultView and
that was the end of it.
In the upcoming HTML5 (note the missing space) there will be more
useful stuff:
http://dev.w3.org/html5/spec/browsers.html#browsing-context
http://dev.w3.org/html5/spec/browsers.html#windowproxy

 

[David Mark]

The definition of the Global Object is not a part of the Books? Thou
shalt not blaspheme!

Who said that?

10.1.5 Global Object
There is a unique global object (15.1), which is created before
control enters any execution context.
Initially the global object has the following properties:
• Built-in objects such as Math, String, Date, parseInt, etc. These
have attributes { DontEnum }.
• Additional host defined properties. This may include a property
whose value is the global object
itself; for example, in the HTML document object model the window
property of the global object is
the global object itself.

That's called an aside (and an inaccurate one too). It has nothing to
do with the definition of the Global Object.

 

[RobG]

The definition of the Global Object is not a part of the Books?

Yes, it is but that is not the point. You inferred that ECMA-262
defines the window and global objects as being the same thing. It was
pointed out to you (yet again) that that part of ECMA-262 is an
*example* of how it might be implemented. It is not a normative part
of the specification.

[...]

It just because no one touched it for years.

So you admit that ECMA-262 does not specify behaviour for host
objects? I guess that's a step forward.

W3C once tried to
document Window but realized that there is nothing "revolutionary" to
announce in here, just carefully document the existing usage - and
that was totally against the whole nature of the "Old W3C". So they
arrived to the Working Draft and then dropped it back in 2006:
http://www.w3.org/TR/Window/

Your arguments are contradictory and illogical.

Initially you argued that ECMA-262 to defines the global and window
object relationship, then you head off on a red herring regarding the
W3C specification of the window object. Next you invent a reason for
why they "dropped" it (all without any reference as to how that is
related to your statement that ECMA-262 defines the window and global
objects as being the same object).

Not that long after the Window Object working draft was released, the
first working draft of the HTML 5 specification (which includes the
details of the Window Object working draft) was released. A more
rational explanation is that the W3C realised that HTML 5 would make a
separate Window Object specification redundant and so included the
details of the Window Object working draft in the HTML 5 working
draft.

so moved on a free territory where they could have more fun, so we
became "happy owners" of AbstractView and document.defaultView and
that was the end of it.

No, it wasn't the end of their efforts to specify the window object at
all and you know it, as you show below. But you continue with your
fantastic stories anyway.

In the upcoming HTML5 (note the missing space)

The "missing space" has no importance. I suspect it is just a trend as
W3C references to most recent specifications drop the space between
the letters and number, such as HTML4, XHTML1, and so on, but the
titles of the actual specifications do not. The working draft is still
titled "HTML 5" (with a space).

there will be more
useful stuff:
http://dev.w3.org/html5/spec/browsers.html#browsing-context
http://dev.w3.org/html5/spec/browsers.html#windowproxy

There's the proof that the W3C didn't "drop" their efforts to sepcify
a window object at all, but are continuing their efforts in HTML 5.
And you posted the evidence, despite your claim that they'd "dropped
it" for some fantastic reason.

Current work (as at 2009-11-03) regarding the relationship between the
host window object and script environment global object is reflected
here:

"A relationship with the script's global object"
<URL: http://www.whatwg.org/specs/web-apps/current-work/#script's-global-object

 

[David Mark]

David Mark schreef:



I surely do have to see that movie again.....

But I don't want to go among mad people.