I need to reverse-engineer some javascript application which does authorization using facebook auth.
Facebook auth window pops up, asks for my permissions, and gets closed instantly, so I am unable to grasp anything from the performed action, as it's too fast.
The problem is that neither Chrome DevTools, nor Firefox Firebug does display network activity for child windows like OAuth permission.
Is there a way to enable FULL network log? An extension, whatever? (It better be free and easy to use)
If you're using Windows, you need Fiddler. If you're not, you'll have to settle for Wireshark. Wireshark is more-general and an amazing tool, but Fiddler does a much better job for HTTP and SSL conversations like you're going to be examining.
Related
I'm using Chrome in headless mode via CDP (Chrome devtools protocol) to do HTML to PDF conversions. Works well but I do not trust Chrome to run forever and want to build a guardian service to monitor its responsiveness and if necessary kill the process and relaunch it.
What would be a good indicator of health? What I'm looking for is a low overhead test I can perform at fairly frequent intervals so that the restart latency is minimised.
I could try to perform some kind of CDP command if anyone has a suggestion and a reliable way to determine success.
I can't think of anything else, that's why I've thrown it open for suggestions.
My best suggestion for this case is to use the Target domain. Listening to some of the events that are fired from the target domain will give you some information regarding the state of your browser, such as TargetCrashed.
On top of that, you could use basic domains like Runtime (provides the evaluate method), SystemInfo or Browser to send the browser requests in order to check its health.
I have Adblock and Adblock Plus extensions in Chrome browser. I spend a lot of time doing intentional shopping and get blocked from things I don't want to be blocked from. For example if I search google for a "hotspot", I want to research various devices available. But when I click on one (sponsored link at the top of the search results), I get an error page that says
This site can’t provide a secure connection
ad.doubleclick.net sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
I don't mind these "ads". They are useful. Is there a way to configure AdBlocker to allow them?
My IT department admitted this is a filtering policy. Quite unfortunate since looking at ads for new technology IS A HUGE PART OF MY JOB
Most modern browsers can display the network traffic of the currently open webpage and its dependencies in its dev tools.
When the browser sends the initial HTTP request for a webpage, it uses the response to display the webpage. A javascript file that the webpage depends on may send another request through AJAX.
Does the browser monitor the execution of the javascript file and display the subsequent requests in the original page's network log?
EDIT: For a bit of background, I'm trying to write a python program that will display all the network traffic generated by a webpage and its dependancies.
if you use chrome browser, you can use network feature on Developer tools.
through this feature, you can monitor all of network activities on page.
for monitoring execution of javascript, search firebug on google.
How do web browsers monitor network of current open webpage?
The short answer: the browser knows about all this, because it has to prepare and send/receive all requests to the webserver. That's his job, and involves much more than monitoring only.
Does the browser monitor the execution of the javascript file and
display the subsequent requests in the original page's network log?
The browser not only has to monitor the execution of the script, it has to execute the script itself. The script then forwards the subsequent request to that same browser, thus no need for the browser to monitor the script to get that information.
For a bit of background, I'm trying to write a python program that
will display all the network traffic generated by a webpage and its
dependancies.
Since this seems to be for educational purposes, you might want to start with writing a plugin for the browser to get an idea of what's happening inside (this will be mostly in JavaScript). In your plugin you can make direct API-calls to the browser-engine, or use call-backs to get notified when requests are made or pages/images arrive.
To monitor that traffic from within a stand-alone application, more work needs to be done. You'll have to sit somewhere in between the browser and your network card. This can be done by:
Writing some kind of proxy to catch and forward the HTTP-traffic and direct your browser to that proxy.
Using a library such as libpcap to catch all network traffic and analyzing the TCP-packets.
I need to capture image from web page without security warning.
Page where i need webcam functionality can not be switched to https protocol.
I've installed root certificates and made them trusted.
I tried to insert iframe (which pointed to secure protocol https://mysecurepage.com) inside page (http://mypage.com), but not worked.
#bjelli is correct - this is a major security flaw for any internet content. Just imagine if you could go to a website which would start taking photos/recording everything going on without any permissions or notifications!
However, I am working on an intranet project where disabling the prompt would be quite safe.
If you are in this sort of position - there is one thing you can do;
Google Chrome Policies
If you are deploying the browser, you can override the security prompt for sites you specify. I don't know if you are working in such an environment, but this is the only way you can avoid the prompt all together. Similar things probably would apply for other browsers too.
As defined in http://www.w3.org/TR/mediacapture-streams/
When the getUserMedia() method is called, the user agent MUST run the following
steps:
[9 steps omitted]
Prompt the user in a user agent specific manner for permission to provide the
entry script's origin with a MediaStream object representing a media stream.
[...]
If the user grants permission to use local recording devices, user agents are
encouraged to include a prominent indicator that the devices are "hot" (i.e. an
"on-air" or "recording" indicator).
If the user denies permission, jump to the step labeled failure below. If the
user never responds, this algorithm stalls on this step.
If a browser does not behave as described here it is a serious security problem. If you find a way of making a browser skip the "permission" you have found a security problem.
What do you do if you find a security problem?
Report it IMMEDIATELY! Wikipedia: Vulnerability Disclosure
Firefox: http://www.mozilla.org/security/#For_Developers
Internet Explorer: http://technet.microsoft.com/en-us/security/ff852094.aspx
Safari: https://ssl.apple.com/support/security/
Chrome: http://www.google.com/about/appsecurity/
Opera: http://www.opera.com/security/policy
This is not just a question of technical possibilities, it's also a question of
professional ethics: what kind of job would I not take on? should I be
loyal to my customer or should I think of the welfare of the public? when do I
just follow orders, when do I stop bad stuff from happening, when do I blow the whistle?
Here are some starting points for computing professionals to think about the ethics of their work:
http://www.acm.org/about/se-code
http://www.acm.org/about/code-of-ethics
http://www.ieee.org/about/corporate/governance/p7-8.html
http://www.gi.de/?id=120
is it possible to access, invoke and see the results of operations in chrome://net-internals/ WITH and from the extension code that I am trying to write/build?
Not directly.
The closest analog is the WebRequest API, which gives you access to various bits and pieces of the network requests going back and forth between Chrome and the server. That doesn't, however, give you access to some of the even lower-level details that you see in net-internals.
What exactly would you like extensions to have access to? I'd suggest formulating a clear use-case, and filing a feature request: http://new.crbug.com/ as your best bet.