Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Firefox and IE's "View source" can be spoofed to show anything (scriptjunkie.us)
85 points by dave1010uk on Sept 8, 2011 | hide | past | favorite | 40 comments


I believe Chrome shows the original source because when you View Source, it requests the page again. This complicates debugging Ajax requests (and also Get and Post requests).

Firefox and IE show the "current" source, which is liable to be replaced as shown by dave1010uk.

Type the following into the Chrome Dev Tools console, then the Firebug console:

  testBool = true;
  document.write('');
  typeof testBool;
Chrome shows boolean, firefox shows undefined.


Note that re-downloading the source prevents this attack, but does not mean that the source you are looking at is what the page is actually running - just make the web server leave out the reference to evil.js the second time an IP address requests the page...


I think that's correct about Chrome. If you want to see the "current" source, the Web Inspector is the way to go.


I wondered if there is anything different about the second (view source) request that could be detected and a different response provided - but I don't think so after a quick look with WireShark.


Well, you could set up a temporary client blacklist based on cookies or IP addresses.


The Firefox plugin Web Developer let's you set an option (View source in tab) that makes it work like the Chrome view source.


If you right click in Chrome for 'inspect element' you also get disappearing source code.


Since the site seems to be down, you can read the article (no images unfortunately) in Google's Cache[1].

[1]: https://webcache.googleusercontent.com/search?q=cache:http:/...


I've recreated a simple proof of concept here: http://taskthere.com/viewsource/

It works in Firefox 6, not sure about any other browsers. If you want to see the actual source, disable JavaScript (or use Chrome or curl).


To see the actual source in Firefox 6, I just viewed the source without dismissing the alert, there was no need to disable anything. The only thing is that with the alert, I couldn't right click on the page and click on "View Page Source", I had to use the menu item Tools: Web Developer: Page Source (or its keyboard shortcut).


I used an alert as a quick example. You could put any HTML or JS on the page (e.g. links for SEO value, iframes with PDF exploits, a bitcoin miner or a video of Rick Astley) and when someone views the source it looks like there's nothing malicious.

Ctrl/Cmd-u can also be used to view source in Firefox.


If you want to view the current HTML source in Firefox you can use Ctrl+A and then right-click > "View Selection Source".

I think it's more a question of what do you expect to see when you "View Source". For example, I have messed around with document.write a lot and it's pretty obvious to me that, if I use view source then it's going to give me the source and any changes done to it my document.write/open/close. In this case since document.write is used after HTML parsing has been completed it replaces the whole page and thus makes view source rather pointless.


This bug isn't showing the usual generated source but some kind of hybrid between original source and generated source.

- To see the original source, hit ctrl-u before dismissing the alert.

- To see the "hybrid" source, hit ctrl-u after dismissing the alert. I always expected this to be idential to what the webserver sent, just syntax highlighted. (Though I haven't messed around with document.close before.)

- To see the generated source, hit ctrl-a, right click & "View Selection Source". This is different to the original/hybrid source as Firefox inserts html tags to make the page valid. My example had no html, head, title or body tags. This should reflect the current page DOM, as affected by any JavaScript.


My intention was to suggest an easy way to view the actual source. I think your example is actually better as an example as it is easy to see the source both before and after the function is called.


When I refresh the page, I don't see the alert again. Did you even check any referrers, or just set a flag to only show the alert once?


Nope, it's incredibly basic, just the HTML you see. I wrote the code on my phone and didn't have time to do anything like that. Here's the source: http://i.imgur.com/zV937.png - it should work served as a local file too.

It could be your browser blocking sequential alerts or some strange caching issue.


If I use pentadactyl's `gf` I get the source with the alert. If I right click I get the intended result.


Peculiar: in FF5 I don't see the alert, but do see it in view source.


Thankfully, curl can't be tricked in such a manner.

I'd have a more substantial comment, I hope, if the site was loading.


Thankfully, curl can't be tricked in such a manner.

fetch http://jcs.org/tmp/nothing.html through curl:

      jcs@air:~> curl -s http://jcs.org/tmp/nothing.html 
      there is really nothing here, i can promise you that.
but you just aren't seeing the content.

     jcs@air:~> curl -s http://jcs.org/tmp/nothing.html | vis
     View source in Firefox. \^H\^H\^H\^H\^H\^H\^H\^H\^H\^H\^H[...]


Clever and true... I didn't say I'd view it in the terminal, though!

    curl http://jcs.org/tmp/nothing.html | vim -


Depending on how well your terminal deals with things like high unicode characters and RTL, I wonder if you could trick curl. You could also send the curl user agent harmless HTML and send Firefox / IE user agents a nasty exploit - that would probably fool me for a while.


You don't have to view the output in a terminal, though - generally I wouldn't if I was really trying to look at a file.

Server side user agent discrimination is a good point. One has have the option to send his or her own lies regarding that, though. There's always a a way to follow whatever script path to its various ends...


Yep. Sounds interesting but seems like it's meta-comments only at this stage.

If anyone happens to load this elusive "View Source Spoof" page, please leave a nice detailed description for the rest of us.

Our minds can draw the pictures :)


Cache (no images):

https://webcache.googleusercontent.com/search?q=cache:http:/...


Older Internet Explorer and Firefox versions displayed the source that was downloaded, not the one generated/modified by scripts. It makes so much more sense, especially since there was always an option to view the generated source (by using JavaScript for an example) but I don't see how you can access the downloaded source at all if View Source is replaced by View Generated Source. Hm, actually one could use FireBug and watch Net response I suppose, but that's inconvenient.


This bug isn't showing the original source or the usual generated source but a hybrid. See my comment here: http://news.ycombinator.com/item?id=2977123

The best way to access downloaded source is probably with JavaScript turned off.


Hmm, I can't reproduce what he claims by only looking at the cached version without images and source code.

I especially don't understand this part:

  When you use document.write outside of a script tag embedded inline in
  the page [...]
What is "outside of a script tag embedded inline in the page" supposed to mean?


What that means (though is not how I would word it) is a document.write that is called asynchronously. The post uses an ajax request to do it but I've recreated it here [1] like this:

    setTimeout(function() {
      document.write('foo');
      document.close();
    }, 1);
[1] http://taskthere.com/viewsource/


In my opinion, "View source" should be a text log of everything the server sent to the client. Why would you ever want anything different?


One of the many reasons why I recommend using NoScript. http://noscript.net/


Although I don't use NoScript (or NotScripts) anymore the web was far less annoying without arbitrary JavaScript. I never had to leave a site because some irrelevant box popped up over the page I was looking at, or about to be.

It will be effective at blocking the Flash-like HTML ads that are going to pop up soon as well. Unless they get really creative with CSS.


I use NoScript, but I have it set up to allow embeds and top-level references. Denying those is a stone's throw away from just turning off javascript completely, which would be tiring.


What's with the out of date Flash popup? Running Chrome beta channel here with Flash built in.


What's with the site not even loading?


Opera 11.51 won't even try show the source for me. It's definitely interesting.


Tried in Firefox 6... spoof works. Tried in Firefox 3.6... could see full source, script and all.


IIRC earlier versions of FF re-request the page when you do a view source, rather than displaying a rendering of the current (potentially changed) document state. You could still spoof the source view in this case by somehow recognising the second request (though how you'd distinguish "view source" from "f5" I don't know) and sending different content back.


Actually, chrome downloads the source again when you choose "view source". You can see the "modded" source with ctrl/cmd+shift+I.


If you mean the Developer Tools/Inspector, it's cmd+opt+I, at least on Chrome 14.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: