big brother's arsenal explained - 1. secure submit

[iblis]

i've decided to start posting various methods, code, and articles i've found that can be used to invade, circumvent, and generally shit on one's privacy online, in the hope that, armed with such information, geeks and casual users alike can learn to be less complacent about their browsing and internet usage. at the very least, someone might just get less spam in their inbox.

and what better way to kick off a series of posts about the flesh-eating bacteria of the web, than to highlight one of the nastier sides of "Asynchronous JavaScript And XML" - otherwise known as "AJAX"?

now, this might be old news to some - especially developers who have anything to do with the http protocol, and/or the creation of web pages in general - but a lot of people have, for some reason or another, been inclined to believe that if they enter information into a form, and don't choose/click to 'submit' said information, that it never goes anywhere, except perhaps to that great 'Recycle Bin' in the sky.

the most common example i can think of would be modern browsers' tendency to 'autofill' frequently used fields, such as 'password' or 'e-mail address', or even your credit card / banking information.

well, if you're amongst the majority, who believe that you have to tell your browser to actually send that potentially sensitive information... thanks(?) to AJAX, you couldn't be more wrong.

i could go into further detail as to how this can happen, and maybe even write a little tutorial... but i'm lazy, it's a work-night, and someone already did it for me.

[iblis]

yeah, i know, i promised an explanation. months ago.

well, time is difficult to come by these days, and hell, even now, i don't have quite a lot of it.

so here we go with the short, short, further-condensed, tiny version.

most people use a javascript-capable web browsing program. and most of those people leave javascript enabled. some of this is from ignorance, but for the majority, it's quite simple: most websites require javascript to be enabled to be even slightly usable - and the really spiffy utilities? it's a must-have.

take google maps¹, for example. when you're clicking and dragging the image, to see what route to take to go to work, to the strip club, or to your brother alvin's house to watch your mentally retarded nephew, clive.. on a fairly high-speed connection, the map just seems to be there. like they have the entire city's map displayed the entire time.

that would be fairly easy to do, but it'd take a hell of a lot longer to load, and use far more resources than need be on both your part (i.e., the client) and theirs (i.e., the server)

so instead of loading the entire image into memory, they only load a part of it, so that you can see what you need to. when you click and drag, your browser is sending commands - using javascript - to their server to load different parts of the image. this is a benign way of taking a client's input, and sending it behind the scenes to a server so that it knows better how to respond.

most sites do this by use of javascript; in the case of mozilla/firefox XMLHttpRequest(), and in IE, either the Active X object Msxml2.XMLHTTP or Micro$oft.XMLHTTP.²

however, this method also allows the client's browser to send information without informing the client of said transaction.

here is an example. view the source, if you're inclined, to see a somewhat primitive stealth submit ajax script.³

in closing, while i don't buy into the hype of "AJAX", it is good to know what it can do... both for you, and to you. it's also wonderful proof that one should always think before one types; as one never knows where (or when) your input is going to be sent.

¹ - seeing as they were one of the first noted to use this technique - and before the term "AJAX" was conceived - it's only fair to use them as an example.
² - the micro$oft portion of this is, or will become outdated, as i update myself with their browser's internal API infrequently at best.
³ - happily ripped from the article mentioned in the first post, as while i could write an example myself, i don't really feel like it.

[Nephilim]

I will always be an advocate of "thinking before you type", but I believe there are other ways to accomplish the same thing without using AJAX at all.

[iblis]

I will always be an advocate of "thinking before you type", but I believe there are other ways to accomplish the same thing without using AJAX at all.

like what? curious minds want to know.

[Nephilim]

Well, I'll have to do some digging, but I think one way you might be able to do it is to code the page with a forced refresh that saves form data every so often. Now this is just off the top of my head, so it my not be possible this way. There are ways to do it though, I'll just have to dig a bit.

[iblis]

Well, I'll have to do some digging, but I think one way you might be able to do it is to code the page with a forced refresh that saves form data every so often. Now this is just off the top of my head, so it my not be possible this way. There are ways to do it though, I'll just have to dig a bit.

it is, in fact, possible.

if i recall correctly, it's easier to do than ajax, though it takes longer and gives the user more warning - unless both connections are really damn fast, and there's no networking weirdness between them (i.e., 400 hops, etc)

[Nephilim]

Yep...just goes to show that the easiest (and MOST SURE) way to secure your PC is to disconnect it from the 'net and unplug the power.