? Figuring out malicious *JS scripts ● SmileBASIC Source

Sign In

Register
*Usernames are case-sensitive
Forgot my password

Figuring out malicious *JS scripts

So you want to get some amazing SiteJS scripts. One person says they wrote a super small script that can add admin features. He shows you a screenshot of the admin area, and you ask for the script, thinking it's real. However, most likely, you just got a scam script.

What are scam scripts?

Scam scripts are scripts from people that say they do something other then they really do. Usually, this will probably be malicious, with the possibility of stealing your browser cookie! You might be thinking, "What bad is having my cookie?" The answer is, pretty catastrophic. Your cookie tells SBS who you are. People with your cookie can pretend they're you to the server, and that's not good, because now they can find out info about you, or get you banned!

How can I protect myself against scam scripts?

Quite simply, look through the script first. If you see any references to document.cookie, DON'T USE IT!!! If it causes malicious behavior, like blanking out pages, go to http://smilebasicsource.com/editor?nositeJS=1&type=site to access your siteJS editor and remove it. If you randomly "log out", but you keep your theme, OR you're able to join chat, remove the code immediately! Finally, if it's obfuscated, don't use it. There really is no need for obfuscated scripts unless you're selling scripts, or making a malicious script. Usually, you can easily tell it's been obfuscated if it has a bunch of references to weird hex numbers, or is all on one line with no reason. Don't forget to be critical. If you think something's too good to be true, it PROBABLY is. If you don't understand JS, ask someone who can to check the script for you, like me (BrokenR3C0RD). Don't use the script if they say it's malicious.
Author
MasterR3C0RD
Updated
Rating
4 votes
Categories
Keywords
13 Comment(s) ToadIsTheBest ToadIsTheBest Forum Contributor Hidden Achievements Night Person I like the quiet night and sleep late. Express Yourself Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength G R E A T T U T O R I A L T O S T A Y S A F E chicken chicken OSP Contest 1 Contest Participant I participated in the first SmileBASIC Source OSP Contest! Second Year My account is over 2 years old Website Good Page Hidden Achievements Hey guys! Check out this script I made! document.cookie ToadIsTheBest ToadIsTheBest Forum Contributor Hidden Achievements Night Person I like the quiet night and sleep late. Express Yourself Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength amazing joke randomous randomous Owner Robot Hidden Easter Eggs Second Year My account is over 2 years old Website Drawing I like to draw! Hobbies It's not just cookies they can take. They can simply look at your password when you login by pulling the text right out of the input field. They just have to add an event to the login submission that takes the password and sends it off to their server. Y_ack Y_ack Head Admin You have to be logged in for personal JS to run question mark. randomous randomous Owner Robot Hidden Easter Eggs Second Year My account is over 2 years old Website Drawing I like to draw! Hobbies All they have to do is fake the login area and make it look like you're not logged in (even though you are). It's not too hard to do. Y_ack Y_ack Head Admin More code == More noticeable. randomous randomous Owner Robot Hidden Easter Eggs Second Year My account is over 2 years old Website Drawing I like to draw! Hobbies Sure, it would be a more complex attack vector. But it could easily be hidden on another server, and the JS they install could simply load this other code, so you really need to be careful. Minxrod Minxrod Summer 2016 Contest Participant I participated in the SmileBASIC Source Summer 2016 Contest! Programming Contest Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength Pokemon Is Awesome! I love Pokemon! Express Yourself Maybe you could add something about using the "find word' function some browsers have to automagically check for document.cookie. Scanning it manually might miss it. Obfuscation is more obvious, so no automatics there. MasterR3C0RD MasterR3C0RD Helper Received for being very helpful around SmileBASIC Source Achievements Second Year My account is over 2 years old Website osu! Is Awesome! I love osu! Express Yourself It can be pretty simple to find document.cookie in a script, even for people with no knowledge of JS. Basically, just be skeptical if the script doesn't look right. Minxrod Minxrod Summer 2016 Contest Participant I participated in the SmileBASIC Source Summer 2016 Contest! Programming Contest Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength Pokemon Is Awesome! I love Pokemon! Express Yourself Ok. ElzoBro ElzoBro First Day Joined on the very first day of SmileBASIC Source Website Video Games I like to play video games! Hobbies Drawing I like to draw! Hobbies Can't an Admin just make it impossible to reference cookies in the JS? Maybe just block the word Cookies or somethings like that. MasterR3C0RD MasterR3C0RD Helper Received for being very helpful around SmileBASIC Source Achievements Second Year My account is over 2 years old Website osu! Is Awesome! I love osu! Express Yourself Sorry, not how it works. It can't be blocked without breaking scripts