Is Console in Inspect Dangerous? - google-chrome

Can I get hacked after writing something in the "console" part after clicking "inspect"? A YouTube video showed a person writing Runner.instance.gameOver = function(){}; in the dinosaur game's console part after clicking on "inspect". I did that (because this "hack" does not harm others) and the game did become easy. However, the day after that, I heard that console can be dangerous, can you please help me? I am VERY concerned.

tl;dr: Yes.
Pasting and running anything you don't understand from an untrusted source (i.e. basically everyone on the internet) is as bad in the console as it is anywhere else. In practice, someone malicious could trick you into Self-XSS, effectively hijacking your account on the current browser tab.
This is why e.g. Facebook injects a warning message whenever you open the console on their page:
That being said: If you know what you are doing, using the console is perfectly fine.

Runner.instance.gameOver = function(){};
The code is just replacing the method gameOver by a function what does nothing.
What this means? The original function what is designed to stop you playing when you lose, is no there anymore so you can't lose at all.

Related

Chrome devtools erroneously pauses on exception in ignored script

Image speaks for itself; this script is on the debugger's ignore list; yet every time I trigger this exception it is paused upon. I cannot uncheck Pause on caught exceptions because I am trying to pause on a caught exception in another startup script.
Devtools says The debugger will skip stepping through this script, and will not stop on exceptions, but it's doing just that, it is not skipping this script.
I've tried several things, like unignoring/reignoring. Using canary, etc. I have this problem on both my windows and osx machines; so it doesn't seem to be particularly related to my environment.
I am wondering if anyone else has run into this and found a workaround. Thank you.
Problem remains unsolved. Leaving this post here with some unsucessfull tentatives of mine, so someone can build something based on them.
1. Devtools extension API
It is possible to create an add-on that can reach the Developer Tools window and even reach the Sources tab, but once there all I could do was creating new sidepanels or attaching a listener to code text selection changes: chrome.devtools.panels.sources.onSelectionChanged.addListener((x)=>{console.log("onselectionchanged");console.dir(x);});
This API was not enough, could not reach debug status or any interesting sidepanel.
2. Debugging the debugger with a JS debugger
By hitting ctrl-shift-i or ctrl-shift-j over a devtools debug window it is possible to open another devtools debug window, debuging the first one. From there it is possible to write code that detects the banner informing that the file was supposed to be ignored and then click on the continue button:
function breakpointskipper() {
bnr = document.getElementById("sources-panel-sources-view").querySelector("div.vbox.flex-auto > div > div > div > div.flex-none > div");
if (!bnr) return;
bnr = bnr.shadowRoot;
if (!bnr) return;
bnr = bnr.querySelector("div");
if (bnr.ariaLabel != "This script is blackboxed in the debugger") return;
btn = document.querySelector("div.scripts-debug-toolbar.toolbar");
if (!btn) return;
btn = btn.shadowRoot;
if (!btn) return;
btn = btn.querySelector("div > button[aria-label=\"Resume script execution\"]");
if (!btn) return;
btn.click();
}
It is possible to even attach this breakpontskipper() button presser to an event in the devtools window and automate things, but as soon as you close the debugger being debugged window, it is all over and you have to recreate the code and reattach again. As said before, I wasn't able to make any add-on reach here.
3. Debugging the debugger with a native debugger
One last available option would be using GDB to debug the DevTools and change its behavior, in the chromium documentation it is shown that they have debug symbols available but I didn't try this approach.
Please try the troubleshooting help, and share some feedback. Also it would help greatly if you pasted some script here.
Please check if your script black boxed like here
Did you accidentally turn on - break on all exceptions see here
Force a hard refresh, i.e. clear you cache like here
Turn off all break points, then do a restore, try again.
More from ref. on chromium bug site
Update 1: Can you please verify/double check that your file to ignore is actually added to the ignore list.
If you know upfront which files to ignore, head over to Developer Tools > Settings (Cog Icon) > Ignore List. Then add a file name or regex pattern you wish to exclude.
You should see something like

Honeypot: Close previous tab after after hidden link initiates target=_blank?

im trying to build a nice blackhoneyholepotdoom and something that annoys me is the fact bots are able to go back and/or switch tabs. Their behavior is: 1) hit login link, fail, go back. 2) hit register link, fail, go back. 3) Either leave or proceed to try again. I assume this is Xr*m*r behavior? I need to interrupt the "go back" as much as possible to make bot hell on earth.
Besides JS, is there any method ya'll know of to open a link in a new tab/window whilst destroying the previous, or all the others? It could be a popup, iframe trigga top, whatever -- to my knowledge, bots dont care and never get past your header/content anyways.
This has terrible dubious implications if used on humans, hence it doesnt seem to exist -- but figured maybe there was a workaround out there. You can email or spam me at dhaupin at gmail dawt com if you dont wanna share here.
Thank you!

Chrome: waiting for www.site.com, how to know which resource is delaying the page load?

When a site gets stuck in chrome with the 'loading www.site.com' status, Is there anyway to know which of the elements on the DOM is delaying the load? for example, it can be an external js file or image that is taking long time to load. I tried using the network tab in the DeveloperTools, but it only shows the elements already loaded and the time they took. I couldn't find a way to see which element is stuck.
I found a way that I'm not sure it works in all cases, but it did for me. I used the Timeline tab (now shown in the Performance tab), it's one of the tabs in Chrome Dev Tools.
Open Chrome Developer tools (F12 or CMD + Alt + I in Mac) and click the Performance tab
Make sure you drag the grey timeline bar all the way to the right, you want to see the most recent section of events so you can find what's getting stuck:
Check just down below the records sidebar. If you don't see this like in the capture below, try toggling the icons, there are different view modes. Now, going all the way down I found these. It doesn't look like that's going well. Obviously some kind of infinite loop in some random code:
I couldn't find out if it was an extension itself or some other bit of code. Clicking through I only could find // Copyright 2014 The Chromium Authors. All rights reserved..
Checking in Incognito mode clear of extensions, the website loads just fine.
I'd also advise to check the Console tab to see if there are were any errors that might cause the infinite loading thing. You'll often find clues there.

Google Chrome console

I wanna use these very simple features in Google Chrome Javascript console but I really cannot find out how (already searched in official documentation,multiple videos and posts...)
Writing more than a javascript line! (currently after hitting enter, the previous code executes). Moreover, is there a way to make the 'writing' area of the console larger? (multiple lines)
Typical undo and redo edit. Currently control+Z does nothing.
really weird,
Thanks in advance,
Pere
The Javascript console really isn't intended to do serious development in, but it's pretty good.
Shift+enter will let you write multiple lines instead of instantly executing the code.

Creating Chrome popup with a C++ program

Problem context:
I have a C++ program and a web presence. Currently the way things are working I have made a control panel with javascript and html. And it send commands via an unimportant communication medium to control things or get information from the C++ program.
Now, when the C++ program launches, I'm making it run a
ShellExecute(NULL, "open", addressBuffer," --new-window", NULL, SW_NORMAL);
This is a way of launching the default browser with the given address. The addressBuffer in this case points to an intermediate HTML file that quickly turns around and uses the
window.open()
in Javascript to open the final popup, then closes itself.
The result is the user now has the popup control panel that I want them to have but the user's main browser window also gets given focus, un-minimized, and placed on a different tab than the one they had selected. (Basically pops up out of nowhere and selects a another tab)
Problem:
I'm looking for a way to launch a Chrome popup, without disturbing a previously open browser window. Any ideas or solutions would be very helpful.
Lastly, it's worth noting that the " --new-window" from the code above doesn't actually open a new window like you would expect. In this case it's actually doing nothing... If it did work, none of this would really be an issue.
I know this is wordy so thanks in advance for you time!
-Michael
Alright, I came up with a solution.
Something about how ShellExecute processes it's commands was preventing the command line args to be passed in correctly.
My work-around includes grabbing the path to Chrome from the registry,
HKET_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
Then simply doing a system() command with the chrome path "--new-window" and the web path.
Then I let the intermediate html page open it's popup and close itself.
Tada done.
Thanks.