显然,由于最近的骗局,开发者工具被人们用来发布垃圾邮件,甚至被用来“黑客”账户。Facebook已经屏蔽了开发者工具,我甚至无法使用控制台。
他们是怎么做到的??一篇Stack Overflow的帖子声称这是不可能的,但Facebook已经证明他们错了。
只需转到Facebook并打开开发工具,在控制台中键入一个字符,就会弹出此警告。无论你投入什么,它都不会被执行。
这怎么可能?
他们甚至在控制台中阻止了自动完成:
当前回答
这不是让弱代码无人看管的安全措施。在实施此策略之前,请始终为弱代码找到永久解决方案,并妥善保护您的网站
据我所知,到目前为止最好的工具是添加多个javascript文件,通过刷新或替换内容将页面的完整性恢复到正常状态。禁用这个开发工具并不是最好的主意,因为绕过总是有问题的,因为代码是浏览器的一部分,而不是服务器渲染,因此可能会被破解。
如果您让js file 1检查重要元素的<element>更改,js file 2和js file 3检查每个周期是否存在该文件,您将在该周期内对页面进行完整性恢复。
让我们以4个文件为例,向您展示我的意思。
索引html
<!DOCTYPE html>
<html>
<head id="mainhead">
<script src="ks.js" id="ksjs"></script>
<script src="mainfile.js" id="mainjs"></script>
<link rel="stylesheet" href="style.css" id="style">
<meta id="meta1" name="description" content="Proper mitigation against script kiddies via Javascript" >
</head>
<body>
<h1 id="heading" name="dontdel" value="2">Delete this from console and it will refresh. If you change the name attribute in this it will also refresh. This is mitigating an attack on attribute change via console to exploit vulnerabilities. You can even try and change the value attribute from 2 to anything you like. If This script says it is 2 it should be 2 or it will refresh. </h1>
<h3>Deleting this wont refresh the page due to it having no integrity check on it</h3>
<p>You can also add this type of error checking on meta tags and add one script out of the head tag to check for changes in the head tag. You can add many js files to ensure an attacker cannot delete all in the second it takes to refresh. Be creative and make this your own as your website needs it.
</p>
<p>This is not the end of it since we can still enter any tag to load anything from everywhere (Dependent on headers etc) but we want to prevent the important ones like an override in meta tags that load headers. The console is designed to edit html but that could add potential html that is dangerous. You should not be able to enter any meta tags into this document unless it is as specified by the ks.js file as permissable. <br>This is not only possible with meta tags but you can do this for important tags like input and script. This is not a replacement for headers!!! Add your headers aswell and protect them with this method.</p>
</body>
<script src="ps.js" id="psjs"></script>
</html>
主文件.js
setInterval(function() {
// check for existence of other scripts. This part will go in all other files to check for this file aswell.
var ksExists = document.getElementById("ksjs");
if(ksExists) {
}else{ location.reload();};
var psExists = document.getElementById("psjs");
if(psExists) {
}else{ location.reload();};
var styleExists = document.getElementById("style");
if(styleExists) {
}else{ location.reload();};
}, 1 * 1000); // 1 * 1000 milsec
ps.js
/*This script checks if mainjs exists as an element. If main js is not existent as an id in the html file reload!You can add this to all js files to ensure that your page integrity is perfect every second. If the page integrity is bad it reloads the page automatically and the process is restarted. This will blind an attacker as he has one second to disable every javascript file in your system which is impossible.
*/
setInterval(function() {
// check for existence of other scripts. This part will go in all other files to check for this file aswell.
var mainExists = document.getElementById("mainjs");
if(mainExists) {
}else{ location.reload();};
//check that heading with id exists and name tag is dontdel.
var headingExists = document.getElementById("heading");
if(headingExists) {
}else{ location.reload();};
var integrityHeading = headingExists.getAttribute('name');
if(integrityHeading == 'dontdel') {
}else{ location.reload();};
var integrity2Heading = headingExists.getAttribute('value');
if(integrity2Heading == '2') {
}else{ location.reload();};
//check that all meta tags stay there
var meta1Exists = document.getElementById("meta1");
if(meta1Exists) {
}else{ location.reload();};
var headExists = document.getElementById("mainhead");
if(headExists) {
}else{ location.reload();};
}, 1 * 1000); // 1 * 1000 milsec
ks.js
/*This script checks if mainjs exists as an element. If main js is not existent as an id in the html file reload! You can add this to all js files to ensure that your page integrity is perfect every second. If the page integrity is bad it reloads the page automatically and the process is restarted. This will blind an attacker as he has one second to disable every javascript file in your system which is impossible.
*/
setInterval(function() {
// check for existence of other scripts. This part will go in all other files to check for this file aswell.
var mainExists = document.getElementById("mainjs");
if(mainExists) {
}else{ location.reload();};
//Check meta tag 1 for content changes. meta1 will always be 0. This you do for each meta on the page to ensure content credibility. No one will change a meta and get away with it. Addition of a meta in spot 10, say a meta after the id="meta10" should also be covered as below.
var x = document.getElementsByTagName("meta")[0];
var p = x.getAttribute("name");
var s = x.getAttribute("content");
if (p != 'description') {
location.reload();
}
if ( s != 'Proper mitigation against script kiddies via Javascript') {
location.reload();
}
// This will prevent a meta tag after this meta tag @ id="meta1". This prevents new meta tags from being added to your pages. This can be used for scripts or any tag you feel is needed to do integrity check on like inputs and scripts. (Yet again. It is not a replacement for headers to be added. Add your headers aswell!)
var lastMeta = document.getElementsByTagName("meta")[1];
if (lastMeta) {
location.reload();
}
}, 1 * 1000); // 1 * 1000 milsec
样式表
现在,这只是为了显示它也适用于所有文件和标记
#heading {
background-color:red;
}
如果您将所有这些文件放在一起并构建示例,您将看到此度量的功能。如果您在索引文件中的所有重要元素上正确实现它,尤其是在使用PHP时,这将防止一些不可见的注入。
我之所以选择重新加载而不是更改回每个属性的正常值,是因为一些攻击者可能已经配置并准备好了网站的另一部分,这会减少代码量。重新加载将消除攻击者的所有努力,他可能会去更容易的地方打球。
另一个注意事项:这可能会变成很多代码,所以请保持干净,并确保将定义添加到它们所属的位置,以便于将来编辑。此外,将秒数设置为您的首选值,因为大页面上的1秒间隔可能会对访问者可能使用的旧计算机产生严重影响
其他回答
我会这样做:
Object.defineProperty(window, 'console', {
get: function() {
},
set: function() {
}
});
Netflix也实现了这一功能
(function() {
try {
var $_console$$ = console;
Object.defineProperty(window, "console", {
get: function() {
if ($_console$$._commandLineAPI)
throw "Sorry, for security reasons, the script console is deactivated on netflix.com";
return $_console$$
},
set: function($val$$) {
$_console$$ = $val$$
}
})
} catch ($ignore$$) {
}
})();
他们只是凌驾于控制台之上_commandLineAPI引发安全错误。
除了重新定义控制台_命令行API,还有一些其他方法可以在WebKit浏览器上侵入InjectedScriptHost,以防止或更改输入到开发人员控制台的表达式的求值。
编辑:
Chrome在过去的版本中修复了这个问题。-这一定是在2015年2月之前,因为我当时创造了要点
所以这里有另一种可能性。这一次,我们在更高级别上直接连接到InjectedScript,而不是与先前版本相反的InjectedScriptHost。
这有点不错,因为你可以直接猴子补丁InjectedScript_evaluateAndWrap而不必依赖于InjectedScriptHost.evaluate,因为这样可以对应该发生的事情进行更细粒度的控制。
另一个非常有趣的事情是,我们可以在计算表达式时拦截内部结果,并将其返回给用户,而不是正常行为。
这是一段代码,当用户在控制台中求值时,它会返回内部结果。
var is;
Object.defineProperty(Object.prototype,"_lastResult",{
get:function(){
return this._lR;
},
set:function(v){
if (typeof this._commandLineAPIImpl=="object") is=this;
this._lR=v;
}
});
setTimeout(function(){
var ev=is._evaluateAndWrap;
is._evaluateAndWrap=function(){
var res=ev.apply(is,arguments);
console.log();
if (arguments[2]==="completion") {
//This is the path you end up when a user types in the console and autocompletion get's evaluated
//Chrome expects a wrapped result to be returned from evaluateAndWrap.
//You can use `ev` to generate an object yourself.
//In case of the autocompletion chrome exptects an wrapped object with the properties that can be autocompleted. e.g.;
//{iGetAutoCompleted: true}
//You would then go and return that object wrapped, like
//return ev.call (is, '', '({test:true})', 'completion', true, false, true);
//Would make `test` pop up for every autocompletion.
//Note that syntax as well as every Object.prototype property get's added to that list later,
//so you won't be able to exclude things like `while` from the autocompletion list,
//unless you wou'd find a way to rewrite the getCompletions function.
//
return res; //Return the autocompletion result. If you want to break that, return nothing or an empty object
} else {
//This is the path where you end up when a user actually presses enter to evaluate an expression.
//In order to return anything as normal evaluation output, you have to return a wrapped object.
//In this case, we want to return the generated remote object.
//Since this is already a wrapped object it would be converted if we directly return it. Hence,
//`return result` would actually replicate the very normal behaviour as the result is converted.
//to output what's actually in the remote object, we have to stringify it and `evaluateAndWrap` that object again.`
//This is quite interesting;
return ev.call (is, null, '(' + JSON.stringify (res) + ')', "console", true, false, true)
}
};
},0);
这有点冗长,但我想我在其中添加了一些注释
因此,通常情况下,例如,如果用户对[1,2,3,4]求值,则会得到以下输出:
猴痘注射后_evaluateAndWrap对相同的表达式求值,给出以下输出:
如您所见,指示输出的小左箭头仍然存在,但这次我们得到了一个对象。在表达式的结果中,数组[1,2,3,4]表示为一个对象,并描述了其所有财产。
我建议尝试评估这个和那个表达式,包括那些产生错误的表达式。这很有趣。
此外,查看is-InjectedScriptHost-对象。它提供了一些方法来使用和深入了解检查器的内部。
当然,您可以截取所有这些信息,并仍然将原始结果返回给用户。
只需将else路径中的return语句替换为后跟return res的console.log(res)即可。
编辑结束
这是Google修复的先前版本。因此不再是一种可能的方式。
其中一个是挂接到Function.prototype.call
Chrome通过使用InjectedScriptHost作为thisArg调用其eval函数来计算输入的表达式
var result=evalFunction.call(对象,表达式);
考虑到这一点,您可以监听正在求值的调用的thisArg,并获取对第一个参数(InjectedScriptHost)的引用
if (window.URL) {
var ish, _call = Function.prototype.call;
Function.prototype.call = function () { //Could be wrapped in a setter for _commandLineAPI, to redefine only when the user started typing.
if (arguments.length > 0 && this.name === "evaluate" && arguments [0].constructor.name === "InjectedScriptHost") { //If thisArg is the evaluate function and the arg0 is the ISH
ish = arguments[0];
ish.evaluate = function (e) { //Redefine the evaluation behaviour
throw new Error ('Rejected evaluation of: \n\'' + e.split ('\n').slice(1,-1).join ("\n") + '\'');
};
Function.prototype.call = _call; //Reset the Function.prototype.call
return _call.apply(this, arguments);
}
};
}
例如,您可以抛出一个错误,即评估被拒绝。
下面是一个示例,输入的表达式在传递给求值函数之前被传递给CoffeeScript编译器。
在内部,devtools将一个名为getCompletions的IIFE注入页面,当在devtools控制台内按下一个键时调用。
查看该函数的源代码,它使用了一些可以覆盖的全局函数。
通过使用Error构造函数,可以获得调用堆栈,当Devtools调用时,它将包括getCompletions。
例子:
const disableDevtools=回调=>{const original=Object.getPrototypeOf;Object.getPrototypeOf=(…args)=>{if(Error().stack.includes(“getCompletions”))callback();返回原始(…args);};};禁用开发工具(()=>{console.error(“devtools已禁用”);而(1);});
我使用Chrome开发工具找到了Facebook的控制台脚本。以下是为提高可读性所做的小改动。我删除了我无法理解的部分:
Object.defineProperty(window, "console", {
value: console,
writable: false,
configurable: false
});
var i = 0;
function showWarningAndThrow() {
if (!i) {
setTimeout(function () {
console.log("%cWarning message", "font: 2em sans-serif; color: yellow; background-color: red;");
}, 1);
i = 1;
}
throw "Console is disabled";
}
var l, n = {
set: function (o) {
l = o;
},
get: function () {
showWarningAndThrow();
return l;
}
};
Object.defineProperty(console, "_commandLineAPI", n);
Object.defineProperty(console, "__commandLineAPI", n);
这样,当在控制台中键入的语句将无法执行时,控制台自动完成将以静默方式失败(将记录异常)。
参考文献:
对象定义属性对象.getOwnPropertyDescriptorChrome的console.log功能(用于格式化输出的提示)
推荐文章
- 使用jQuery改变输入字段的类型
- 在JavaScript中,什么相当于Java的Thread.sleep() ?
- 使用jQuery以像素为整数填充或边距值
- 检查是否选择了jQuery选项,如果没有选择默认值
- Next.js React应用中没有定义Window
- 如何重置笑话模拟函数调用计数之前,每次测试
- 如何强制一个功能React组件渲染?
- 在javascript中从平面数组构建树数组
- 将Dropzone.js与其他字段集成到现有的HTML表单中
- 如何在AngularJS中观察路由变化?
- JavaScript DOM删除元素
- 将dd-mm-yyyy字符串转换为日期
- Javascript复选框onChange
- Javascript函数前导bang !语法
- 如何在页面上遍历所有DOM元素?
