How does Facebook disable the browser's integrated Developer Tools?

后端 未结 12 968
予麋鹿
予麋鹿 2020-11-22 06:12

So apparently because of the recent scams, the developer tools is exploited by people to post spam and even used to \"hack\" accounts. Facebook has blocked the developer too

相关标签:
12条回答
  • 2020-11-22 06:56

    My simple way, but it can help for further variations on this subject. List all methods and alter them to useless.

      Object.getOwnPropertyNames(console).filter(function(property) {
         return typeof console[property] == 'function';
      }).forEach(function (verb) {
         console[verb] =function(){return 'Sorry, for security reasons...';};
      });
    
    0 讨论(0)
  • 2020-11-22 06:57

    Internally devtools injects an IIFE named getCompletions into the page, called when a key is pressed inside the Devtools console.

    Looking at the source of that function, it uses a few global functions which can be overwritten.

    By using the Error constructor it's possible to get the call stack, which will include getCompletions when called by Devtools.


    Example:

    const disableDevtools = callback => {
      const original = Object.getPrototypeOf;
    
      Object.getPrototypeOf = (...args) => {
        if (Error().stack.includes("getCompletions")) callback();
        return original(...args);
      };
    };
    
    disableDevtools(() => {
      console.error("devtools has been disabled");
    
      while (1);
    });

    0 讨论(0)
  • 2020-11-22 06:57

    This is not a security measure for weak code to be left unattended. Always get a permanent solution to weak code and secure your websites properly before implementing this strategy

    The best tool by far according to my knowledge would be to add multiple javascript files that simply changes the integrity of the page back to normal by refreshing or replacing content. Disabling this developer tool would not be the greatest idea since bypassing is always in question since the code is part of the browser and not a server rendering, thus it could be cracked.

    Should you have js file one checking for <element> changes on important elements and js file two and js file three checking that this file exists per period you will have full integrity restore on the page within the period.

    Lets take an example of the 4 files and show you what I mean.

    index.html

       <!DOCTYPE html>
       <html>
       <head id="mainhead">
       <script src="ks.js" id="ksjs"></script>
       <script src="mainfile.js" id="mainjs"></script>
       <link rel="stylesheet" href="style.css" id="style">
       <meta id="meta1" name="description" content="Proper mitigation against script kiddies via Javascript" >
       </head>
       <body>
       <h1 id="heading" name="dontdel" value="2">Delete this from console and it will refresh. If you change the name attribute in this it will also refresh. This is mitigating an attack on attribute change via console to exploit vulnerabilities. You can even try and change the value attribute from 2 to anything you like. If This script says it is 2 it should be 2 or it will refresh. </h1>
       <h3>Deleting this wont refresh the page due to it having no integrity check on it</h3>
    
       <p>You can also add this type of error checking on meta tags and add one script out of the head tag to check for changes in the head tag. You can add many js files to ensure an attacker cannot delete all in the second it takes to refresh. Be creative and make this your own as your website needs it. 
       </p>
    
       <p>This is not the end of it since we can still enter any tag to load anything from everywhere (Dependent on headers etc) but we want to prevent the important ones like an override in meta tags that load headers. The console is designed to edit html but that could add potential html that is dangerous. You should not be able to enter any meta tags into this document unless it is as specified by the ks.js file as permissable. <br>This is not only possible with meta tags but you can do this for important tags like input and script. This is not a replacement for headers!!! Add your headers aswell and protect them with this method.</p>
       </body>
       <script src="ps.js" id="psjs"></script>
       </html>
    

    mainfile.js

       setInterval(function() {
       // check for existence of other scripts. This part will go in all other files to check for this file aswell. 
       var ksExists = document.getElementById("ksjs"); 
       if(ksExists) {
       }else{ location.reload();};
    
       var psExists = document.getElementById("psjs");
       if(psExists) {
       }else{ location.reload();};
    
       var styleExists = document.getElementById("style");
       if(styleExists) {
       }else{ location.reload();};
    
    
       }, 1 * 1000); // 1 * 1000 milsec
    

    ps.js

       /*This script checks if mainjs exists as an element. If main js is not existent as an id in the html file reload!You can add this to all js files to ensure that your page integrity is perfect every second. If the page integrity is bad it reloads the page automatically and the process is restarted. This will blind an attacker as he has one second to disable every javascript file in your system which is impossible.
    
       */
    
       setInterval(function() {
       // check for existence of other scripts. This part will go in all other files to check for this file aswell. 
       var mainExists = document.getElementById("mainjs"); 
       if(mainExists) {
       }else{ location.reload();};
    
       //check that heading with id exists and name tag is dontdel.
       var headingExists = document.getElementById("heading"); 
       if(headingExists) {
       }else{ location.reload();};
       var integrityHeading = headingExists.getAttribute('name');
       if(integrityHeading == 'dontdel') {
       }else{ location.reload();};
       var integrity2Heading = headingExists.getAttribute('value');
       if(integrity2Heading == '2') {
       }else{ location.reload();};
       //check that all meta tags stay there
       var meta1Exists = document.getElementById("meta1"); 
       if(meta1Exists) {
       }else{ location.reload();};
    
       var headExists = document.getElementById("mainhead"); 
       if(headExists) {
       }else{ location.reload();};
    
       }, 1 * 1000); // 1 * 1000 milsec
    

    ks.js

       /*This script checks if mainjs exists as an element. If main js is not existent as an id in the html file reload! You can add this to all js files to ensure that your page integrity is perfect every second. If the page integrity is bad it reloads the page automatically and the process is restarted. This will blind an attacker as he has one second to disable every javascript file in your system which is impossible.
    
       */
    
       setInterval(function() {
       // check for existence of other scripts. This part will go in all other files to check for this file aswell. 
       var mainExists = document.getElementById("mainjs"); 
       if(mainExists) {
       }else{ location.reload();};
       //Check meta tag 1 for content changes. meta1 will always be 0. This you do for each meta on the page to ensure content credibility. No one will change a meta and get away with it. Addition of a meta in spot 10, say a meta after the id="meta10" should also be covered as below.
       var x = document.getElementsByTagName("meta")[0];
       var p = x.getAttribute("name");
       var s = x.getAttribute("content");
       if (p != 'description') {
       location.reload();
       }
       if ( s != 'Proper mitigation against script kiddies via Javascript') {
       location.reload();
       }
       // This will prevent a meta tag after this meta tag @ id="meta1". This prevents new meta tags from being added to your pages. This can be used for scripts or any tag you feel is needed to do integrity check on like inputs and scripts. (Yet again. It is not a replacement for headers to be added. Add your headers aswell!)
       var lastMeta = document.getElementsByTagName("meta")[1];
       if (lastMeta) {
       location.reload();
       }
       }, 1 * 1000); // 1 * 1000 milsec
    

    style.css

    Now this is just to show it works on all files and tags aswell

       #heading {
       background-color:red;
       }
    

    If you put all these files together and build the example you will see the function of this measure. This will prevent some unforseen injections should you implement it correctly on all important elements in your index file especially when working with PHP.

    Why I chose reload instead of change back to normal value per attribute is the fact that some attackers could have another part of the website already configured and ready and it lessens code amount. The reload will remove all the attacker's hard work and he will probably go play somewhere easier.

    Another note: This could become a lot of code so keep it clean and make sure to add definitions to where they belong to make edits easy in future. Also set the seconds to your preferred amount as 1 second intervals on large pages could have drastic effects on older computers your visitors might be using

    0 讨论(0)
  • 2020-11-22 07:01

    I'm a security engineer at Facebook and this is my fault. We're testing this for some users to see if it can slow down some attacks where users are tricked into pasting (malicious) JavaScript code into the browser console.

    Just to be clear: trying to block hackers client-side is a bad idea in general; this is to protect against a specific social engineering attack.

    If you ended up in the test group and are annoyed by this, sorry. I tried to make the old opt-out page (now help page) as simple as possible while still being scary enough to stop at least some of the victims.

    The actual code is pretty similar to @joeldixon66's link; ours is a little more complicated for no good reason.

    Chrome wraps all console code in

    with ((console && console._commandLineAPI) || {}) {
      <code goes here>
    }
    

    ... so the site redefines console._commandLineAPI to throw:

    Object.defineProperty(console, '_commandLineAPI',
       { get : function() { throw 'Nooo!' } })
    

    This is not quite enough (try it!), but that's the main trick.


    Epilogue: The Chrome team decided that defeating the console from user-side JS was a bug and fixed the issue, rendering this technique invalid. Afterwards, additional protection was added to protect users from self-xss.

    0 讨论(0)
  • 2020-11-22 07:03

    an simple solution!

    setInterval(()=>console.clear(),1500);
    
    0 讨论(0)
  • 2020-11-22 07:06

    I would go along the way of:

    Object.defineProperty(window, 'console', {
      get: function() {
    
      },
      set: function() {
    
      }
    });
    
    0 讨论(0)
提交回复
热议问题