Test for vulnerabilities please!

PullJosh

I've created a new extension which pulls an old trick, but does it better than ever before. The extension is called “Open Webpage Extension” and it has one block:

open page at url [http://scratch.mit.edu/] :: extension

The catch is that I've designed the block to be as safe and secure as possible. When the block runs, a fancy little dialog box pops up, asking the user if they would like to open the page.

I've done everything I can think of to prevent attacks, but I want some feedback from the community. I'd love everyone to try and create a project which demonstrates how the extension might be able to be used in a malicious way so that I can fix any potential vulnerabilities.

Try it out on ScratchX!

Jonathan50

Well, ScratchX links can be dangerous anyway… But I guess if it becomes an official extension then you'll need to be sure it's safe.

PullJosh

Jonathan50 wrote:
Well, ScratchX links can be dangerous anyway… But I guess if it becomes an official extension then you'll need to be sure it's safe.

The hope is that it could one day become an official extension, yeah.

@all I just updated the code so that long urls get clipped to look pretty in the popup.

helloandgoodbye9

You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.

Jonathan50

helloandgoodbye9 wrote:
You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.

How is ./ a problem?

helloandgoodbye9

Jonathan50 wrote:
helloandgoodbye9 wrote:
You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.
How is ./ a problem?

It hides that the url redirects to crashchrome. The browser ignores /./

Jonathan50

helloandgoodbye9 wrote:
Jonathan50 wrote:
helloandgoodbye9 wrote:
You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.
How is ./ a problem?
It hides that the url redirects to crashchrome. The browser ignores /./

How does it “hide” it? I can still see the whole URL…

helloandgoodbye9

Jonathan50 wrote:
helloandgoodbye9 wrote:
Jonathan50 wrote:
helloandgoodbye9 wrote:
You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.
How is ./ a problem?
It hides that the url redirects to crashchrome. The browser ignores /./
How does it “hide” it? I can still see the whole URL…

Copy it into the block, then run it.

savaka

The link shouldn't actually be blue because you can't click it, and the buttons should be a darker color when you hover on them, if you want it to be like ScratchX dialogs.

NickyNouse

Instead of truncating long urls, try putting the ellipses in the middle and showing the beginning and end of the URL.

PullJosh

NickyNouse wrote:
Instead of truncating long urls, try putting the ellipses in the middle and showing the beginning and end of the URL.

Interesting…

CodingGamerHD

*cough*

when green flag clicked
forever
    open page at url [http://www.randommalicioussite.com/] :: extension stack
end

*cough*

Maybe prevent using it in a forever loop?

NickyNouse

CodingGamerHD wrote:
*cough*
when green flag clicked
forever
    open page at url [http://www.randommalicioussite.com/] :: extension stack
end
*cough*

Maybe prevent using it in a forever loop?

Or maybe the option to "prevent this project from opening more websites [on this domain?]"

Last edited by NickyNouse (July 6, 2016 15:20:06)

jackson4896

I tried adding And it just didn't work

Ascold

when green flag clicked
forever
open page at  url [http:/scratch.mit.edu]
end

Ascold

When You Have No Gods, You Are Very Glad :

Last edited by Ascold (June 28, 2019 06:50:05)

Cookiemousee

I wish you could make it go to a link like this

go to webpage ( )

_HAMSTER6_

It Could Possibly Let People Link Other People To Disguised IP Grabbers

Discuss Scratch