Discuss Scratch

PullJosh
Scratcher
1000+ posts

Test for vulnerabilities please!

I've created a new extension which pulls an old trick, but does it better than ever before. The extension is called “Open Webpage Extension” and it has one block:
open page at url [http://scratch.mit.edu/] :: extension
The catch is that I've designed the block to be as safe and secure as possible. When the block runs, a fancy little dialog box pops up, asking the user if they would like to open the page.



I've done everything I can think of to prevent attacks, but I want some feedback from the community. I'd love everyone to try and create a project which demonstrates how the extension might be able to be used in a malicious way so that I can fix any potential vulnerabilities.

Try it out on ScratchX!

Base 10 is the best number system.
Jonathan50
Scratcher
1000+ posts

Test for vulnerabilities please!

Well, ScratchX links can be dangerous anyway… But I guess if it becomes an official extension then you'll need to be sure it's safe.
PullJosh
Scratcher
1000+ posts

Test for vulnerabilities please!

Jonathan50 wrote:

Well, ScratchX links can be dangerous anyway… But I guess if it becomes an official extension then you'll need to be sure it's safe.
The hope is that it could one day become an official extension, yeah.

@all I just updated the code so that long urls get clipped to look pretty in the popup.

Base 10 is the best number system.
helloandgoodbye9
Scratcher
1000+ posts

Test for vulnerabilities please!

You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.

Last edited by kaj (Tomorrow 25:61:61) ͪͪͪͪͪͪͪͪͪͪ ͣͣͣͣ ͯͯͯͯYes, its above the line)
Jonathan50
Scratcher
1000+ posts

Test for vulnerabilities please!

helloandgoodbye9 wrote:

You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.
How is ./ a problem?
helloandgoodbye9
Scratcher
1000+ posts

Test for vulnerabilities please!

Jonathan50 wrote:

helloandgoodbye9 wrote:

You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.
How is ./ a problem?
It hides that the url redirects to crashchrome. The browser ignores /./

Last edited by kaj (Tomorrow 25:61:61) ͪͪͪͪͪͪͪͪͪͪ ͣͣͣͣ ͯͯͯͯYes, its above the line)
Jonathan50
Scratcher
1000+ posts

Test for vulnerabilities please!

helloandgoodbye9 wrote:

Jonathan50 wrote:

helloandgoodbye9 wrote:

You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.
How is ./ a problem?
It hides that the url redirects to crashchrome. The browser ignores /./
How does it “hide” it? I can still see the whole URL…
helloandgoodbye9
Scratcher
1000+ posts

Test for vulnerabilities please!

Jonathan50 wrote:

helloandgoodbye9 wrote:

Jonathan50 wrote:

helloandgoodbye9 wrote:

You may want to automatically remove /./ - https://blog.library.si.edu/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././redir.php?URL=http://crashcrome.com/ looks like blog.library.si.edu/././././././././././././././././././././././././. …, which looks weirld, put has .edu, looking safe to younger scratchers.
How is ./ a problem?
It hides that the url redirects to crashchrome. The browser ignores /./
How does it “hide” it? I can still see the whole URL…
Copy it into the block, then run it.

Last edited by kaj (Tomorrow 25:61:61) ͪͪͪͪͪͪͪͪͪͪ ͣͣͣͣ ͯͯͯͯYes, its above the line)
savaka
Scratcher
1000+ posts

Test for vulnerabilities please!

The link shouldn't actually be blue because you can't click it, and the buttons should be a darker color when you hover on them, if you want it to be like ScratchX dialogs.
NickyNouse
Scratcher
1000+ posts

Test for vulnerabilities please!

Instead of truncating long urls, try putting the ellipses in the middle and showing the beginning and end of the URL.
PullJosh
Scratcher
1000+ posts

Test for vulnerabilities please!

NickyNouse wrote:

Instead of truncating long urls, try putting the ellipses in the middle and showing the beginning and end of the URL.
Interesting…

Base 10 is the best number system.
CodingGamerHD
Scratcher
62 posts

Test for vulnerabilities please!

*cough*
when green flag clicked
forever
open page at url [http://www.randommalicioussite.com/] :: extension stack
end
*cough*

Maybe prevent using it in a forever loop?

> Console.Write(get_os_ver(););
Running Ubuntu 16.10 (64-bit)/Windows 7 Ultimate SP1 (64-bit) (lives on as a VirtualBox VM)/Android 6.0, Google Chrome (no flash)
> Process.Start("https://scratch.mit.edu/users/CodingGamerHD/"); // Check out my projects!
> while (true) { Sharpy.Eat(new Kumquat.Evil(); }// This is my new pet Sharpy, Sharpy protects my siggy from siggy eating kumquats (alongside javascripty) by eating them! Payback, amirite?
>_
;
NickyNouse
Scratcher
1000+ posts

Test for vulnerabilities please!

CodingGamerHD wrote:

*cough*
when green flag clicked
forever
open page at url [http://www.randommalicioussite.com/] :: extension stack
end
*cough*

Maybe prevent using it in a forever loop?
Or maybe the option to "prevent this project from opening more websites [on this domain?]"

Last edited by NickyNouse (July 6, 2016 15:20:06)

jackson4896
New to Scratch
1 post

Test for vulnerabilities please!

I tried adding And it just didn't work

Powered by DjangoBB

Standard | Mobile