A brief explanation on how to exploit the glory of scope in JavaScript
h
Baconman321 (542)

@persassy2109 This is for you (and the rest of you all who don't know the wonders of scope).

DISCLAIMER:

There exists a way to get around this in devtools. Of course, the average person playing your game (unless you post it in a coding group like this website...) will not know how to access it at all. Of course, it offers some protection to noobs (like me) who don't know how to use devtools correctly.

Even so, it is a good idea to wrap code in an IIFE to prevent polluting global scope (which I don't think the scripts themselves can travel into scopes) especially if you are importing external scripts (which still should either be a module or be inside an IIFE themselves). Since JavaScript is executed on client-side, the user can see both the source code of your application and be able to manipulate the code either with devtools or something else.

DO NOT USE JAVASCRIPT TO HANDLE SENSITIVE INFORMATION...EVER!!!

Anyways, moving on...

You just made a game...

"OOH, I just made a new game, it's so nice! I made high scores and everything! But, oh... wait! Someone got a score of infinity! How is that possible??? I'VE BEEN HACKED, HOW IS THIS POSSIBLE?!"
Easy, you just call the function that sets the high score and pass in infinity. I'm disappointed that people today don't know how to exploit scope in JavaScript. What's next, y'all won't know how to use private methods (actually I've never even touched a class outside of JavaScript, but I still know what that is!)?
Today guys (and girls, gotta include everyone), I will show you how to prevent (for the most part) exploits by devtools (or other console tools). Note that this is not 100% efficient and you still should follow all other rule of thumbs for making a safe and secure game (like anti-XSS methods. Actually if you unwillingly allow XSS the point of this tutorial could be made useless). Well, let's get into it then! Onward.

Did you know JavaScript has classes? Pretty cool right?!
A teeny tiny problem though, it doesn't support private methods or values! Now anyone can access those methods and change the values (like Player.playerSpeed for example)... right?
Yep.
"Oh, no! How do I fix this?!", you might say.
While JavaScript may not support private methods (method is a fancy word for a function inside a class or object) or values, you can always make them private because of this one thing (a wonderful thing) called scope!
Note that I include very simple examples here because I, too am fairly new to this. Anyways, Onward Ho!

Now, imagine you have a game. In your game you have a Player object that stores and controls information on the player. You have a Player.setSpeed() method that you use for when the player gets a speed power-up. You post it on repl share, and it gets trending! But then, oh! Kobeff (sorry kobe, just teasin u ;D) has shown a pic of him modifying the player speed by calling Player.setSpeed() and passing in 1,000. Now he can zip around like flash and pass all the monsters in a breeze!
How do you fix this to prevent the mighty Kobeff (sorry Kobe... again) from Oofing your game? One very simple thing is to wrap all your code in an IIFE (immediately invoked function expression). Here's an example of code wrapped inside an IIFE:

(function(){
   console.log("Look ma, I'm trapped inside a function!");
})();

An immediately invoked function expression is just what it sounds like: a function that is immediately invoked.
"Why might this be of any help to me?" you may ask.
Well, it all has to do with scope.
What is scope?
According to wikipedia:

In computer programming, the scope of a name binding—an association of a name to an entity, such as a variable—is the part of a program where the name binding is valid, that is where the name can be used to refer to the entity.

Wow, even I don't fully understand this? What does it mean?
Imagine you have a safe. It is super locked. Inside the safe, imagine each of the objects came to life. Each object can interact with each other, but another object that came to life outside the safe, say... a tin soldier, can't interact with those people inside the safe. Now, replace the safe with a function and the objects with variables or other storage methods and you got yourselves the meaning of scope.
Devtools interacts with the global scope. Global means the very highest scope. If you define a function in the global scope and you console.log the window object, you will see that that function is bound to the window AKA global scope. But, if you make a function inside a function, that innermost function has the scope of the outer function.

Functions inside a function inherit all the outer function's variables. That is why this is perfectly valid:

let globalVar = "Hello from the global scope!";
function outerFunc(){
   console.log(globalVar);
}
outerFunc();
//Will log "Hello from the global scope!"

However, you cannot access a function's scope from outside of it.

function outerFunc(){
   let secret = "Hehe, I will never be exposed!";
}
console.log(secret);
//Will give "undefined"

Of course, there are exceptions. Remember how I said that a function can inherits all of the outer scope's variables and objects and such?
Well, you can also change the outer scope's variables from inside a function.

let globalVar = "I am global!";
function changeVar(){
   globalVar = "Hehe, I am secret... right?";
}
console.log(globalVar);
//Will log "Hehe, I am secret... right?"

Another thing to note:
since JavaScript allows you to declare variables without a var const or let keywords, you have to watch out for the scoping of declaring a variable without a declaration keyword, because if you declare a variable without a variable declaration keyword (like let or `var), you will automatically bind it to the global scope! For instance

function globalVar(){
   myGlobal = "This is global";
}
globalVar();
console.log(myGlobal);
//Will log "This is global";

Of course, there are probably a few more rules... but that is your daily dose of basic scope understanding.
If you want to read more about scope, try this mozilla article!
Now, go make your game untamperable (ok, somewhat untamperable... don't forget to follow the other security methods)!

Now the mighty kobeff cannot mess with your game

You are viewing a single comment. View All
xxpertHacker (649)

Did you know JavaScript has classes? Pretty cool right?!
A teeny tiny problem though, it doesn't support private methods or values! Now anyone can access those methods and change the values (like Player.playerSpeed for example)... right?

Hmmm... hmmm... because JavaScript doesn't have private methods?

class T {
    static #log = console.log;

    #meth() {
        T.#log("Meth... wait no, that's a drug!");
    }
}

T.#log("Haha, these aren't even private, phff, I'm using it right now!");

new T().#meth();

I'm waiting for private symbols, those are gonna be nice.

Today guys (and girls, gotta include everyone),

There are more than two genders :/

I will show you how to prevent (for the most part) exploits by devtools (or other console tools).

Nope, in devtools you actually have 100% power over everything, I can change values in scope, in a module, in a function, in a class, etc, at will.

Yes, you can do this:

// mod.mjs
{
    function foo() {
        class T {
            constructor() {
                let x = true;

                console.log(x);

                debugger;

                console.log(x);
            } // T::constructor
        } // T
    } // foo
}

and I can guarantee that if I wanted to, I could make it say

true
false

Because dev tools let us play god :)

Tampermonkey exists.

Scope is just encapsulation.

since JavaScript allows you to declare variables without a var const or let keywords, you have to watch out for the scoping of declaring a variable without a declaration keyword, because if you declare a variable without a variable declaration keyword (like let or `var), you will automatically bind it to the global scope!

Umm... since when? A decade ago?

"use strict";

f = 5.0; // throws ReferenceError

Just write modern code, it's not hard.

Baconman321 (542)

@xxpertHacker Huh, I thought you can't go into scopes in devtools...
I also didn't know that JavaScript had private methods...

How could you change something in a scope though?

xxpertHacker (649)

@Baconman321 There's always more to learn/know :)

Dev tools allow more control over JavaScript than JavaScript itself.

Baconman321 (542)

@xxpertHacker Oh yeah, I found out. Pause debugger and then you can step in-out of functions. Still, wrapping things in an IIFE is good practice, especially if you are loading external scripts (which should already be wrapped in an IIFE, but still). Also, there isn't really a way (or at least an easily made way) for external scripts to go into scopes (unless you bring them into the scope), right?

Baconman321 (542)

@xxpertHacker Static just prevents you from accessing the property on instances (but it can be accessed in subclasses).
Also, what's the need for symbols (except that are all unique even if you have the info passed in)?

Baconman321 (542)

@xxpertHacker LOL I hope no one ever declares variables that way...
Technically I guess when you write it that way you are basically saying

myVar = "Hello, world!";
//basically window.myVar = "Hello, World!";
xxpertHacker (649)

@Baconman321

LOL I hope no one ever declares variables that way...

Still, wrapping things in an IIFE is good practice, especially if you are loading external scripts (which should already be wrapped in an IIFE, but still).

This sounds like the thinking of someone who wrote kiddie scripts in JavaScript ~15 years ago :/

This is bad practice.

That is not a variable declaration, that is property assignment.

iifes are 100% useless.

(function () {
    let x = ...;
    ... exec code ...
})();

vs

{
    let x = ...;
    ... exec code ...
}

Why in the world would you write the former!?

xxpertHacker (649)

@Baconman321

Static just prevents you from accessing the property on instances (but it can be accessed in subclasses)

Umm... no, it can't be accessed in subclasses.

It can be accessed anywhere inside the class, but only in the class, including instances.

Symbols: privacy & branding.

xxpertHacker (649)

@Baconman321

for external scripts to go into scopes (unless you bring them into the scope), right?

:/

https://repl.it/talk/learn/The-Modern-JavaScript-Tutorial-Series-Part-2/81460

Baconman321 (542)

@xxpertHacker Oh you can wrap everything in {} now?
Huh, well I guess I learned JavaScript from an older tutorial. Still, I use IIFES for something like event.respondWith() because it takes a response instead of a function so I run a function to return a response. Still, I like em.

Baconman321 (542)

@xxpertHacker Huh I got the info straight from stackoverflow. Must be an older version or I read it wrong :/

Imagine using Classes in JavaScript

xxpertHacker (649)

@Baconman321 Umm... yup, you can wrap everything in { ... } for like... the last 6 or 7 years?

Even works on I.E., so yeah, it's old.

Just make the surrounding callback async and you won't need the iife :/

xxpertHacker (649)

@Baconman321 Stackoverflow is the most outdated place I've ever been to. Please don't use them for remotely modern code.

Baconman321 (542)

@xxpertHacker It doesn't like it if I put anything before the event.respondWith(). Plus, I think IIFE's are important. Oh well.
Most of the weird stuff in JavaScript is the side effect of having such weird syntax and rules.

Baconman321 (542)

@xxpertHacker LOL if you're searching for an answer by a search engine, yes.
I think they just point new answers to old ones that's the problem.

Plus, where would I get a modern tutorial?
Mozilla?
I tried learning web audio API from them but epically failed (I guess I don't know enough about music or anything related to music. Plus it's all linked to each other so I didn't know where to start).

xxpertHacker (649)

@Baconman321

Most of the weird stuff in JavaScript is the side effect of having such weird syntax and rules.

JavaScript can be as simple or as complex as you make it.

Imho, I keep it simple, and everyone else (you included) prefer to take the most roundabout ways of doing anything. But, maybe I'm wrong, who knows?

xxpertHacker (649)

@Baconman321

Plus, where would I get a modern tutorial?

https://javascript.info didn't seem that old? I never used it though, so idk, I'd have to really check it out.

Otherwise, such a place doesn't exist. Honestly, I think most of what I know is from V8 developers showing off that they can execute bleeding edge code, that and TC39, lol.

Baconman321 (542)

@xxpertHacker Since there are so many ways of learning JavaScript, there are some people who still think of making their own iteration instead of using .forEach() on arrays.
I learn much from stackoverflow because it's the one major resource that isn't blocked (I hate my school's firewall). Honestly I'm a pretty bad coder because I have so little resources.

Baconman321 (542)

@xxpertHacker I used javascript.info for learning about indexedDB. They are pretty good, yeah. As with the older code, it's perfectly fine to use it. It's also easier to make it more compatible (but I have mixed older stuff with newer stuff so not really anymore XD).

xxpertHacker (649)

@Baconman321

Since there are so many ways of learning JavaScript, there are some people who still think of making their own iteration instead of using .forEach() on arrays.

Well... okay yeah, then again I use asynchronous recursive yielding... ex: http://repl.it/@xxpertHacker/Thread, lol, code like that is way too "different" from the average JS.

I learn much from stackoverflow because it's the one major resource that isn't blocked (I hate my school's firewall).

I've been trying to get past my school's blocking extension for the last ~3 hours this morning, almost did it, then the site I made it to said something wasn't working correctly :)

Honestly I'm a pretty bad coder because I have so little resources.

I don't remember where I learned half of what I have, I just learn it and continue.

Iirc, I started at FCC and checked out stuff from https://web.dev... and listened to other coders that I know, ofc.

Baconman321 (542)

@xxpertHacker I could easily bypass my school's firewall, but then they would just get mad at me and take away the devtools (I think they don't know I have it).

xxpertHacker (649)

@Baconman321 I wish I had devtools right now...

Baconman321 (542)

@xxpertHacker Wait you don't?
How do you even bypass the school's firewall?
My firewall is just a chrome extension...

xxpertHacker (649)

@Baconman321 So is mine.
At this point, I really can't, they've caught on and stopped most of what I've done.

How do you bypass yours?

Baconman321 (542)

@xxpertHacker I can use devtools probably to stop the extension's execution.
Also, it only blocks web searches and iframes (and websites).
I just fetch the website through no-cors and post it as a srcdoc instead of src in an iframe.
Of course, some resources won't load, but useful for reading a website like, say - developer.mozilla.org.

Wait, do you have goguardian?

xxpertHacker (649)

@Baconman321

Wait, do you have goguardian?

Ugh, yes.

A better way would be to open the fetched result in its own tab as a Blob, ex: https://repl.it/talk/learn/Phff-js-for-const-url-p/79171/365888 (doesn't fetch external resources)

Still, doesn't work for sites that I care about.

Repl has a few proxies around here, most are bad.

Baconman321 (542)

@xxpertHacker XD I bet you don't go to our school (would be a huge coincidence).
We should make an "unblocker" called
goguardian-goaway
XD

Also, I don't think it works well for webpages (the unblocker) because a lot of things are relatively linked meaning it won't work right?

Also, our school is super protective so if I try anything they know immediately.

xxpertHacker (649)

@Baconman321 That's why I said

(doesn't fetch external resources)

My school is "protective" too, but they're... slow, like, they're delayed in all of their actions, and their tech team is 100% incompetent.

Baconman321 (542)

@xxpertHacker XD wish I had a school like urs.

Baconman321 (542)

@xxpertHacker

#include <iostream>
int main() {
  int* ptr = NULL;
  std::cout << *ptr;
}

Annoyance intensifies

...That's a null pointer, right?

xxpertHacker (649)

@Baconman321 Ugh, no, get that C out of here.

#include <iostream>

int main() {
    decltype(auto) pointer = static_cast<int signed const * const>(nullptr);

    decltype(auto) number = *pointer;

    std::wcout << number;
}

https://repl.it/talk/ask/Whippingdot-One-thing-I-know-is-that-C/112204/406279

Baconman321 (542)

@xxpertHacker That was C++.
Also, what is wcout?
And autp?

xxpertHacker (649)

@Baconman321 Fixed "autp" immediately after posting, reload it.

Also, no, NULL is C, not C++.
I can write a C program and compile it in a C++ compiler, it doesn't mean that it's C++, it's still C.

Baconman321 (542)

@xxpertHacker K.
Hmm, just replace NULL with 0 then (since they are the same)?

Baconman321 (542)

@xxpertHacker Y?
LOL why are null pointers so bad? You could easily crash your program in many other ways (ok, well most wouldn't get compiled that's the best part about compiled languages).

In fact, ironically they can actually be pretty useful.

Baconman321 (542)

@xxpertHacker Yo sometime wanna make a web server in C++?
We can define TCP sockets (and we can have fun reading the [RFC 2616 hypertext transfer protocol documentation).
:D
I tried making a little C++ repl that used structs. Caught on pretty quickly so I'd like to actually try to learn C++ a bit more.

Baconman321 (542)

@xxpertHacker U used a library tho. RIght?

I want to try making a C++ web server but IDK where to start.
:(

xxpertHacker (649)

@Baconman321 Of course, you can see my response to others attempting to make an entire server library here:

https://repl.it/talk/ask/Seg-fault/87284

I practically bullied them for making the server...

xxpertHacker (649)

@Baconman321 By merely having null pointers in a language, you screw over the entire language and every single person who uses the language.

Just don't introduce them at all and everything would be much better.

Baconman321 (542)

@xxpertHacker I didn't get it :(
Hmm do I have to use an http server library or can I define it myself
Or is it too much work to even think about.

How da heck do u know so much about C++???

xxpertHacker (649)

@Baconman321

I didn't get it :(

I told them not to make the server, and that they're wasting their time by making the server instead of already having a lib. Don't recreate the wheel, especially if you can't out do the current wheel.

Hmm do I have to use an http server library or can I define it myself

Libraries exist to be used.

Or is it too much work to even think about.

It's a lot of work, have fun setting up those HTTP sockets on your own, and then there's the WebSockets, and make sure every file is sent in parallel, and it better be using HTTP 2 protocol or it's just outdated, and lastly, make sure not to use an invalid reference or pointer, or you'll crash.

And to top it off, make sure your threads don't deadlock or cause a race, and cache as appropriate. Good luck!

Oh wait, one more thing, make sure to use a thread pool, and distribute the workloads correctly across the threads.

Baconman321 (542)

@xxpertHacker Hmm, yeah I guess I'll use a library for now.
Is there any good tutorial for starters (I can catch on to the commands I bet)? Also I can't find a good web server library.

Also I heard there's problems with keeping the connection open (an attacker can open a connection an infinite amount of times causing it to crash), but I bet that's if I was to make my own http server from scratch.

Yeah, C++ is too low level for anything useful except where major performance is needed, and Golang is pretty good for that.

Baconman321 (542)

@xxpertHacker (Forgot to tell u) If you have control over your internet all you have to do is make the connection for goguardian's redirect time out. If goguardian's blocked page can't load then it can't redirect. I found out this because my dad blocks new connections to "shut off the internet". The school blocks ip addresses but I had one set up on my chromebook. When I had the internet on (but not "connected") and went to the ip address it didn't redirect because goguardian couldn't load the blocked page.

xxpertHacker (649)

@Baconman321 o_O Cool, block GG's IP and I'm free, nice to know.

But... we use this too, it's what does the actual unblocking over here, GG is used just for spyware :/

Baconman321 (542)

@xxpertHacker XD goguardian actually took away the keystroke logger and all cuz school got sued for remotely taking pic of student and holding it for punishment. I actually made my own keystroke logger that works and all (hashes data before being stored in a LOG file tho).

Also securly rated 1 star XD (oh from students... makes sense).

xxpertHacker (649)

@Baconman321 Check the reviews :) Even I left one for them.

I made a keylogger too and didn't use it for anything ethical.

Baconman321 (542)

@xxpertHacker Yeah, any extension used for school blocking will get one star cuz kids.

Please say you didn't deploy the keylogger...
My case manager got mad at me for making the keylogger (had to tell her it was ethical). She emailed my parents XD (my parents already knew since I announced it proudly around the house).

xxpertHacker (649)

@Baconman321

Please say you didn't deploy the keylogger...

... good question, but let's leave it at that, just a question :)

Baconman321 (542)

@xxpertHacker XD probs ez to hack (u made it in JS right? I did cuz I can't run exe files cuz chromebook) and bypass.

xxpertHacker (649)

@Baconman321 Yeah, JS, but once the listener is attached, the code is bullet-proof, like most of my code.

Baconman321 (542)

@xxpertHacker How? You literally said yourself devtools lets yourself play god. Devtools gives u more control than JavaScript itself.

Ofc you could check if the listener is there and if it's not add a new one. I made it so once the page unloads (about to unload) it sends the data. Better way would set up web socket and send data every keypress or so often. OFC you could also block the connection client-side too (with firewall). Remember, there's always a way around if ur sending it over internet.

Wait is it an extension or userscript?

xxpertHacker (649)

@Baconman321 You're asking for too much information, that's classified.
Also, devtools do allow you to detach event listeners... but who says that I can't... reattach it? >:)

Now, I've got a Wasm generator to get back to, some Chromium bugs to check up on, a page to write, and a whole lot of other stuff to do.

xxpertHacker (649)

@Baconman321 Hey, there was that time that you thought that I used Wasm just for obfuscation, but I just exposed SIMD operations to JavaScript via Wasm, and it only uses numbers.

Mozilla has a simple explanation of what it is here:
https://wiki.mozilla.org/SIMD/Overview

I threw together a quick script to generate the Wasm here https://repl.it/@xxpertHacker/vect-lib

But... it generated 397 different operations, so... this will be a whole lot of typing for one person, if you know any TypeScript, do you wanna help me out?

Baconman321 (542)

@xxpertHacker That's exactly what I was thinking of. Check if the event listener is there if not attach it. Of course, still ways around it but still (I should add that to my keystroke logger).

Baconman321 (542)

@xxpertHacker Sorry I don't know typescript :(
I like plain ol vanillajs

xxpertHacker (649)

@Baconman321 Eventually it will literally become a war of how good are they at using dev tools, vs how bullet-proof can JS get?

xxpertHacker (649)

@Baconman321

I like plain ol vanillajs

😦... still not versed in statically-typed languages yet?

Baconman321 (542)

@xxpertHacker Huh, wintersp said that devtools has more control over javascript than javascript...

Baconman321 (542)

@xxpertHacker No I like statically typed languages (I found JS so easy now that I moved to statically typed, but I'll probably switch to thinking JS so hard), they are amazing!
It's just that I like coding in plain old JavaScript for now. I think I'll learn typescript though.

xxpertHacker (649)

@Baconman321 Yup, I said the same, it does. Btw, devtools allows one to observe + debug more than just JS, ex: Wasm and native operations (e.g.: C++).

xxpertHacker (649)

@Baconman321 Here's my opinion on TS, it's weird. Guess it's a hit or miss language, but coming from low-level languages, I hate its structural type system.

If you write TS and assume that I'll fix everything, you're likely mistaken, TS has a good number of loopholes built into the language itself.

And if you learn TS, it has no type casts. Talk about a statically typed language, all it has are unsafe type assertions and control flow.

Avoid them, use the runtime flow deduction instead, always.

if (typeof x === "number") {
    // use as a number
} else {
    // throw new TypeError?
}

You'll find that others agree (abstract, but related):

xxpertHacker (649)

@Baconman321 Totally random, and kinda late, but I figured out that you can just block the hardware backed certificates that your firewall's site + extension uses in chrome://settings/certificates

Baconman321 (542)

@xxpertHacker Oh cool. Yeah, but wouldn't it just redirect it and give you an error instead. You gotta make the connection time out so that it doesn't redirect.

But my school probs knows that so it probably forced the certificate for that. It probably just uses location.href and if you make a certificate error it will still redirect. Plus blocked.com-default.ws uses http and not https so it doesn't work for me :(

Lel what grade are you even in (just curious)?

xxpertHacker (649)

@Baconman321 Worked in my situation just fine, the extension itself needs a certificate, and mine in particular used hardware-backed Amazon certifications; I disabled them so their extension and site are blocked by Google Chrome itself, e.g. Chrome pops up that their site isn't safe.

Lel what grade are you even in (just curious)?

That's asking for too much.

Baconman321 (542)

@xxpertHacker Oh kk.

I'm assuming your in somewhere from 8th-10th.
:D

Also, I can't find the certificate for mine so...
Oh well.