? Protecting yourself from malicious *JS scripts ● SmileBASIC Source

Sign In

Register
*Usernames are case-sensitive
Forgot my password

Protecting yourself from malicious *JS scripts

So you've been looking to make your experience on the site a bit more interesting. You find a script, and run it without looking at it. At this point, you've already practically given your account to whoever wrote it. Common sense and rational thinking can help you a lot when deciding which scripts to use and which scripts not to use. Here, I'll highlight some ways to tell what a script is doing and what it isn't doing

ChatJS

ChatJS scripts are the most common scripts you'll find. They often add very useful features, like add nicknames you can change, or hide annoying users (written by me!). Some could do things that aren't too great though. For example, some scripts could, in fact, steal your session cookie (which I'll refer to as "session") or your chat authentication token (which I'll refer to as "chatauth"). Your session is how SmileBASIC Source knows that you are logged in, and if someone was to steal it, they could use it to get your email or other information you have on your account. The chatauth, on the other hand, allows someone to connect to chat as you, which could get your account banned if they do something malicious with it. Scripts that do this kind of thing will likely have references to either sending either document.cookie or chatauth with genericXHR or XMLHttpRequests. If you see a script like this, and it's from someone you do not trust, do NOT add it to your chatJS. Instead, ask a developer on the site that has ChatJS experience. Examples include 12Me21, myself, or Y_ack. We can likely tell you if something isn't right with the code, and we can stop you from getting your account messed up.

SiteJS

SiteJS scripts are much more rare, and usually aren't shared. You likely want to be even more careful with this type script. A malicious script can really mess up the site, hiding things, faking logout to steal your password, or more. If you see ANY script that tries to access document.cookie, don't try to run it. You'll risk your account this way. You can do malicious things with ChatJS, but that's only restricted to the chat. SiteJS scripts are run on every page on SmileBASIC Source, and can do a lot more damage.

Help! I installed a malicious script and I can't access the JS editor to remove it! What do I do?!

Everyone makes mistakes. If you accidentally installed a bad SiteJS, go to http://smilebasicsource.com/editor?type=site&nositeJS=1. It will disable the loading of SiteJS and allow you to get to the editor to remove the script. Once you're done of that, make sure to report it to one of the site admins so they can take some sort of action. Now you should be a *JS pro! If you have any further questions, feel free to ask in the comments. I'd be happy to help!
Author
MasterR3C0RD
Updated
Rating
5 votes
Categories
Keywords
  • chatjs
  • sitejs
  • javascript
  • userscripts
16 Comment(s) IAmRalsei IAmRalsei Forum Leader Hidden Achievements First Year My account is over 1 year old Website Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength Nice rewrite. RGamesOffical RGamesOffical Intermediate Programmer I can make programs, but I still have trouble here and there. Programming Strength Minecraft Is Awesome! I love Minecraft! Express Yourself Video Games I like to play video games! Hobbies Oh, and BTW, If it loads another JS script from another server, don't use it. MasterR3C0RD MasterR3C0RD Helper Received for being very helpful around SmileBASIC Source Achievements Third Year My account is over 3 years old Website osu! Is Awesome! I love osu! Express Yourself This can be argued. If you're using a script that requires a well-known and respected library (and jQuery), it is probably safe. As always, just be careful about what you look at. IAmRalsei IAmRalsei Forum Leader Hidden Achievements First Year My account is over 1 year old Website Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength Like, the LZ loader is 100% safe as long as long as you don’t load any bad scripts from LZ’s Repository. kenchic kenchic Avatar Taboo I didn't change my avatar for 180 days Website Third Year My account is over 3 years old Website osu! Is Awesome! I love osu! Express Yourself Hey guys! Check out this script I made! document.cookie IAmRalsei IAmRalsei Forum Leader Hidden Achievements First Year My account is over 1 year old Website Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength amazing joke randomous randomous Owner Robot Hidden Easter Eggs Second Year My account is over 2 years old Website Drawing I like to draw! Hobbies It's not just cookies they can take. They can simply look at your password when you login by pulling the text right out of the input field. They just have to add an event to the login submission that takes the password and sends it off to their server. Y_ack Y_ack You have to be logged in for personal JS to run question mark. randomous randomous Owner Robot Hidden Easter Eggs Second Year My account is over 2 years old Website Drawing I like to draw! Hobbies All they have to do is fake the login area and make it look like you're not logged in (even though you are). It's not too hard to do. Y_ack Y_ack More code == More noticeable. randomous randomous Owner Robot Hidden Easter Eggs Second Year My account is over 2 years old Website Drawing I like to draw! Hobbies Sure, it would be a more complex attack vector. But it could easily be hidden on another server, and the JS they install could simply load this other code, so you really need to be careful. Minxrod Minxrod Summer 2016 Contest Participant I participated in the SmileBASIC Source Summer 2016 Contest! Programming Contest Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength Pokemon Is Awesome! I love Pokemon! Express Yourself Maybe you could add something about using the "find word' function some browsers have to automagically check for document.cookie. Scanning it manually might miss it. Obfuscation is more obvious, so no automatics there. MasterR3C0RD MasterR3C0RD Helper Received for being very helpful around SmileBASIC Source Achievements Third Year My account is over 3 years old Website osu! Is Awesome! I love osu! Express Yourself It can be pretty simple to find document.cookie in a script, even for people with no knowledge of JS. Basically, just be skeptical if the script doesn't look right. Minxrod Minxrod Summer 2016 Contest Participant I participated in the SmileBASIC Source Summer 2016 Contest! Programming Contest Expert Programmer Programming no longer gives me any trouble. Come to me for help, if you like! Programming Strength Pokemon Is Awesome! I love Pokemon! Express Yourself Ok. ElzoBro ElzoBro First Day Joined on the very first day of SmileBASIC Source Website Video Games I like to play video games! Hobbies Drawing I like to draw! Hobbies Can't an Admin just make it impossible to reference cookies in the JS? Maybe just block the word Cookies or somethings like that. MasterR3C0RD MasterR3C0RD Helper Received for being very helpful around SmileBASIC Source Achievements Third Year My account is over 3 years old Website osu! Is Awesome! I love osu! Express Yourself Sorry, not how it works. It can't be blocked without breaking scripts