LoginLogin
Might make SBS readonly: thread

Protecting yourself from malicious *JS scripts

Root / Submissions / [.]

MasterR3C0RDCreated:
So you've been looking to make your experience on the site a bit more interesting. You find a script, and run it without looking at it. At this point, you've already practically given your account to whoever wrote it. Common sense and rational thinking can help you a lot when deciding which scripts to use and which scripts not to use. Here, I'll highlight some ways to tell what a script is doing and what it isn't doing

ChatJS

ChatJS scripts are the most common scripts you'll find. They often add very useful features, like add nicknames you can change, or hide annoying users (written by me!). Some could do things that aren't too great though. For example, some scripts could, in fact, steal your session cookie (which I'll refer to as "session") or your chat authentication token (which I'll refer to as "chatauth"). Your session is how SmileBASIC Source knows that you are logged in, and if someone was to steal it, they could use it to get your email or other information you have on your account. The chatauth, on the other hand, allows someone to connect to chat as you, which could get your account banned if they do something malicious with it. Scripts that do this kind of thing will likely have references to either sending either document.cookie or chatauth with genericXHR or XMLHttpRequests. If you see a script like this, and it's from someone you do not trust, do NOT add it to your chatJS. Instead, ask a developer on the site that has ChatJS experience. Examples include 12Me21, myself, or Y_ack. We can likely tell you if something isn't right with the code, and we can stop you from getting your account messed up.

SiteJS

SiteJS scripts are much more rare, and usually aren't shared. You likely want to be even more careful with this type script. A malicious script can really mess up the site, hiding things, faking logout to steal your password, or more. If you see ANY script that tries to access document.cookie, don't try to run it. You'll risk your account this way. You can do malicious things with ChatJS, but that's only restricted to the chat. SiteJS scripts are run on every page on SmileBASIC Source, and can do a lot more damage.

Help! I installed a malicious script and I can't access the JS editor to remove it! What do I do?!

Everyone makes mistakes. If you accidentally installed a bad SiteJS, go to http://smilebasicsource.com/editor?type=site&nositeJS=1. It will disable the loading of SiteJS and allow you to get to the editor to remove the script. Once you're done of that, make sure to report it to one of the site admins so they can take some sort of action. Now you should be a *JS pro! If you have any further questions, feel free to ask in the comments. I'd be happy to help!

Can't an Admin just make it impossible to reference cookies in the JS? Maybe just block the word Cookies or somethings like that.

Replying to:ElzoBro
Can't an Admin just make it impossible to reference cookies in the JS? Maybe just block the word Cookies or somethings like that.
Sorry, not how it works. It can't be blocked without breaking scripts

Maybe you could add something about using the "find word' function some browsers have to automagically check for document.cookie. Scanning it manually might miss it. Obfuscation is more obvious, so no automatics there.

Replying to:Minxrod
Maybe you could add something about using the "find word' function some browsers have to automagically check for document.cookie. Scanning it manually might miss it. Obfuscation is more obvious, so no automatics there.
It can be pretty simple to find document.cookie in a script, even for people with no knowledge of JS. Basically, just be skeptical if the script doesn't look right.

Replying to:Minxrod
Maybe you could add something about using the "find word' function some browsers have to automagically check for document.cookie. Scanning it manually might miss it. Obfuscation is more obvious, so no automatics there.
Ok.

It's not just cookies they can take. They can simply look at your password when you login by pulling the text right out of the input field. They just have to add an event to the login submission that takes the password and sends it off to their server.

Replying to:haloopdy
It's not just cookies they can take. They can simply look at your password when you login by pulling the text right out of the input field. They just have to add an event to the login submission that takes the password and sends it off to their server.
You have to be logged in for personal JS to run question mark.

Replying to:haloopdy
It's not just cookies they can take. They can simply look at your password when you login by pulling the text right out of the input field. They just have to add an event to the login submission that takes the password and sends it off to their server.
All they have to do is fake the login area and make it look like you're not logged in (even though you are). It's not too hard to do.

Replying to:haloopdy
It's not just cookies they can take. They can simply look at your password when you login by pulling the text right out of the input field. They just have to add an event to the login submission that takes the password and sends it off to their server.
More code == More noticeable.

Replying to:haloopdy
It's not just cookies they can take. They can simply look at your password when you login by pulling the text right out of the input field. They just have to add an event to the login submission that takes the password and sends it off to their server.
Sure, it would be a more complex attack vector. But it could easily be hidden on another server, and the JS they install could simply load this other code, so you really need to be careful.

Hey guys! Check out this script I made!
document.cookie

Replying to:chicken
Hey guys! Check out this script I made!
document.cookie
amazing joke

Oh, and BTW, If it loads another JS script from another server, don't use it.

Replying to:RGamesOffical
Oh, and BTW, If it loads another JS script from another server, don't use it.
This can be argued. If you're using a script that requires a well-known and respected library (and jQuery), it is probably safe. As always, just be careful about what you look at.

Replying to:RGamesOffical
Oh, and BTW, If it loads another JS script from another server, don't use it.
Like, the LZ loader is 100% safe as long as long as you donโ€™t load any bad scripts from LZโ€™s Repository.

Nice rewrite.