[RESOLVED] samy.pl bypasses NS content blocking (Java)

Ask for help about NoScript, no registration needed to post
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by dhouwn »

Wait, so NoScript is toggling the global Java setting? Aren't all plugin instances aborted when a plugin gets deactivated?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101124 Firefox/4.0b8pre
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone »

dhouwn wrote:Wait, so NoScript is toggling the global Java setting? Aren't all plugin instances aborted when a plugin gets deactivated?
Nope. The enabled/disabled setting is checking only at instantiation time.

However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and without disabling the plugin.
I still can't believe it works, but it does, and it takes 1 millisecond on Fx 3.6 and 5 milliseconds on Fx 4 (weird, probably a JIT anti-optimization). I'm still running in "debug mode", though, therefore I expect these numbers to be slightly different (better) in production, but they're already excellent.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x »

Giorgio Maone wrote:However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and without disabling the plugin.
What is it?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone »

al_9x wrote:
Giorgio Maone wrote:However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and without disabling the plugin.
What is it?

Code: Select all

(function() {
      const w = window;
      const k = function() {};
      w.watch('java', k); // wonderful trick reducing w.java resolution by a 100 factor,
      w.watch('Packages', k); // by skipping InitJavaProperties() and undeffing Packages and java
      const g = function() {
        const d = w.document;
        const o = d.createElement("object");
        o.type = "application/x-java-vm";
        o.data = "data:" + o.type + ",";
        d.body.appendChild(o);
        d.body.removeChild(o);
        w.__defineGetter__("java", k);
        w.__defineGetter__("Packages", k);
      }
      w.__defineGetter__("java", g);
      w.__defineGetter__("Packages", g);
    })()
EDIT:
actually it looks like I talked too fast. The code above does reduce the execution time by two orders of magnitude, but unless I disable the plugin the JVM gets instantiated anyway :(
So I'll end combining plugin disablement and the trick above to keep the execution time well under 10 milliseconds while effectively intercepting the Java properties without instantiating the JVM.

EDIT 2
Here's the reason why I was mislead about the extent of the trick above. It works fully on Fx 3.6 (speedup + JVM prevention), but only grants the speedup on Minefield, where the JVM instantiation can only be prevented by disabling the plugin.
However the overhead of the plugin status management is negligible enough not to grant a separate codepath for the 1.9.x branch.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x »

Giorgio Maone wrote:It works fully on Fx 3.6 (speedup + JVM prevention)

Code: Select all

<script>
watch('java', function() {});
</script>
this starts the vm on 3.6 for me
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone »

al_9x wrote:
Giorgio Maone wrote:It works fully on Fx 3.6 (speedup + JVM prevention)

Code: Select all

<script>
watch('java', function() {});
</script>
this starts the vm on 3.6 for me
This doesn't for me, but I run at a very "strange" time (when the documentElement has been created but no script has run yet), so probably the timing plays a role in what is ultimately a bug which has likely been fixed on trunk. However, as I said, I'm ending to temporarily disable the plugin anyway.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone »

Please check latest development build (2.0.6rc5).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x »

Giorgio Maone wrote:Please check latest development build (2.0.6rc5).
Confirmed. The only possible problem is lack of notification. On allowed pages you just get the puzzle, and on partial not even that. Maybe that's enough considering the likelihood of liveconnect actually being used, but probably the right thing here is an alert bar offering to allow java and optionally reload the page.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x »

If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone »

al_9x wrote:If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
It slipped in the very early rc5 on my site (lasted 5 minutes or so) and was removed before going in AMO's update channel, because it was on a performance-critical code path and didn't belong in a final RC.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x »

Giorgio Maone wrote:
al_9x wrote:If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
It slipped in the very early rc5 on my site (lasted 5 minutes or so) and was removed before going in AMO's update channel, because it was on a performance-critical code path and didn't belong in a final RC.
Is a consoleDump test really a performance hit? Being able to optionally see whether or not this interception takes place and also how long it takes, is helpful. I don't see the harm in it, it's effectively a noop when off (default)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x »

In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?

Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.

Code: Select all

<iframe name="A" style="display:none"></iframe>
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101130 Firefox/3.6.13
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone »

al_9x wrote:In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?
It's relatively expensive and in some circumstances (which I coudln't reproduce reliably) it fires a JVM.

al_9x wrote: Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.

Code: Select all

<iframe name="A" style="display:none"></iframe>
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
No idea, investigating. Does it happen also on a reduced test case (the iframe only)? Does disabling liveconnect interception change anything?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x »

Giorgio Maone wrote:
al_9x wrote:In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?
It's relatively expensive and in some circumstances (which I coudln't reproduce reliably) it fires a JVM.
Is it possible to be notfified and cache the enabled state?
Giorgio Maone wrote:
al_9x wrote: Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.

Code: Select all

<iframe name="A" style="display:none"></iframe>
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
No idea, investigating. Does it happen also on a reduced test case (the iframe only)? Does disabling liveconnect interception change anything?
Here's a simple page:

Code: Select all

<a href="#" onclick="alert(java.lang.Math.PI);">PI</a>
<iframe></iframe>
If you disable interception or disable Java, it does not happen.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone »

al_9x wrote: Is it possible to be notfified and cache the enabled state?
Unfortunately not. I checked the "plugin-list-updated" notifications (which, together with "plugin-crashed" is the only observable event fired by PluginHost), but it is triggered only by navigator.plugins.refresh().

al_9x wrote: Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.

Code: Select all

<iframe name="A" style="display:none"></iframe>
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
Here's a simple page:

Code: Select all

<a href="#" onclick="alert(java.lang.Math.PI);">PI</a>
<iframe></iframe>
If you disable interception or disable Java, it does not happen.
I can't observe this. Tested both on Minefield and Firefox 3.6.12 (default NoScript options + extended embedding restrictions); all it happens when I click the link is the URL changing to (...)# and the Blocked Objects menu being added of Java-enablement options.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Post Reply