Posts from 2015 - Jun

Mystery JS Alert

One of my fellow developers at work recently started complaining that he was getting an alert showing up on his page on a development system. Obviously this raised our XSS-aware eyebrows and investigations soon started.

Thanks to the way JQuery subsumes event handlers it can sometimes be very tricky to find out what exactly was triggering the alert, and without finding out what triggers the alert you can't find the problem and fix it. Alerts can also be hard to get a debugger to breakpoint on, if at all possible.

This little snippet helped my colleague as they could bake it in the top of every page served out to override the alert function and then check their console to see the full stack of calls that resulted in the call to alert(). It could also be modified to call an AJAX endpoint posting the data back so that users who might not have the console object in their browser can still be diagnosed simply.

//Rename the alert function to alert_ so it can still be used
window.alert_ = window.alert;

//Override the regular alert function with one that
//  console.log's the stack to find out what called it
window.alert = function() {
    e = new Error();
    console.log(window, arguments, e.stack);
    alert_.apply(window, arguments)

I also modified this snippet for one of our testers who uses Selenium and wanted to use JavaScript in his Selenium test to parse a reference number from an alert on one page to use throughout the rest of his test case. In that case we overrode the alert method in the same way, had a regex inside to parse out the reference he needed and wrote that to a new hidden span in the page which his selenium script could then find and get the value from to store and use.

No comments yet... :: Posted by Nick Palmer :: 2015-06-30 13:50:52

Disassembling and Modifying C#

Recently I was working with a C# tool and found it didn't quite do what I was expecting. Knowing that C# is fairly similar to Java in terms of compiling down to bytecode and running on a language VM I figured I might have a go at disassembling the C# executable and attempting to patch what I needed.

.NET Disassembly

As a Java developer who occasionally has to deal with bugs in third party, closed-source, libraries I have become fairly adept at disassembling code to figure out what's going on and potentially patch it to have the behaviour I need. Reverse engineering should never be the first option to try, and it is more often than not against the ToS and licenses of whatever third party code you're meddling with (sometimes Oracle post crazy rants against third party investigations of their code) but sometimes it's the only way to truly find out what is going on, especially when the documentation is short on details or outright incorrect.

Read Full Post

No comments yet... :: Posted by Nick Palmer :: 2015-06-15 13:04:49