|
List all properties of a JS obejct by Lost at 3:27 pm EST, Dec 12, 2007 |
function show_props(obj, obj_name) { var result = "" for (var i in obj) result = obj_name "." i " = " obj[i] "\n" return result; }
Super convenient when peeps don't document their objects. |
|
List all properties the entire JavaScript environment! by Acidus at 12:14 pm EST, Dec 13, 2007 |
Jello wrote: function show_props(obj, obj_name) { var result = "" for (var i in obj) result = obj_name "." i " = " obj[i] "\n" return result; }
Super convenient when peeps don't document their objects.
You can do this on the window object and you get all global objects. This means all global variables and all the user-defined functions! You can valueOf() on the function object to extract the source code! valueOf() even automatically inserts the appropriate whitespace and indenting for you to easily read the code You can recurse down objects and check their childern so this handles JavaScript "names spaces" as well. Hook this up to a setInterval() call and you can also perform runtime monitoring of the JavaScript environment! On-demand Ajax?, no problem! With firebug, you have the JavaScript equivalent of "View Source." With this method, you have the JavaScript equivalent of "View Generated Source!" Super convenient when peeps don't document the Ajax applications you are hacking! Take a read of Chapter 7 of Ajax Security. Bryan and I wrote a JavaScript tool called HOOK which does this very thing! On-demand monitoring and hijacking of JavaScript functions! Even better, it's cross browser. Oh Yeah! In the interest of disclosure, websec guru Amit Klein came pretty close to this in 2006. He discovered the joy of valueOf() but didn't take the next step of how to discover/enumerate all the user-defined functions in the JavaScript environment. |
|
| |
RE: List all properties the entire JavaScript environment! by Worthersee at 2:49 pm EST, Dec 13, 2007 |
Acidus wrote: Take a read of Chapter 7 of Ajax Security. Bryan and I wrote a JavaScript tool called HOOK which does this very thing! On-demand monitoring and hijacking of JavaScript functions! Even better, it's cross browser. Oh Yeah!
I went to Borders and B&N today after lunch and neither had your book. Borders customer service kiosk said "Not published yet". I guess I'll just order it from Amazon using my HP Amex. Maybe I'll buy a few, I heard they make good stocking stuffers ;) |
|
| | |
RE: List all properties the entire JavaScript environment! by Acidus at 2:51 pm EST, Dec 13, 2007 |
Worthersee wrote: Acidus wrote: Take a read of Chapter 7 of Ajax Security. Bryan and I wrote a JavaScript tool called HOOK which does this very thing! On-demand monitoring and hijacking of JavaScript functions! Even better, it's cross browser. Oh Yeah!
If you buy Ajax Security directly from Addison Wesley you can get it immediately. Ken on Framework ordered yesterday and got it today. I went to Borders and B&N today after lunch and neither had your book. Borders customer service kiosk said "Not published yet". I guess I'll just order it from Amazon using my HP Amex. Maybe I'll buy a few, I heard they make good stocking stuffers ;)
|
|
| |
RE: List all properties the entire JavaScript environment! by Lost at 4:09 pm EST, Dec 13, 2007 |
Acidus wrote: Jello wrote: function show_props(obj, obj_name) { var result = "" for (var i in obj) result = obj_name "." i " = " obj[i] "\n" return result; }
Super convenient when peeps don't document their objects.
You can do this on the window object and you get all global objects. This means all global variables and all the user-defined functions! You can valueOf() on the function object to extract the source code! valueOf() even automatically inserts the appropriate whitespace and indenting for you to easily read the code You can recurse down objects and check their childern so this handles JavaScript "names spaces" as well. Hook this up to a setInterval() call and you can also perform runtime monitoring of the JavaScript environment! On-demand Ajax?, no problem! With firebug, you have the JavaScript equivalent of "View Source." With this method, you have the JavaScript equivalent of "View Generated Source!" Super convenient when peeps don't document the Ajax applications you are hacking! Take a read of Chapter 7 of Ajax Security. Bryan and I wrote a JavaScript tool called HOOK which does this very thing! On-demand monitoring and hijacking of JavaScript functions! Even better, it's cross browser. Oh Yeah! In the interest of disclosure, websec guru Amit Klein came pretty close to this in 2006. He discovered the joy of valueOf() but didn't take the next step of how to discover/enumerate all the user-defined functions in the JavaScript environment.
I know a usability guy that monitors any change to the DOM this way, to track mouse movements, clicks, etc. He generates reports he uses to stylize his web pages this way. |
|
| | |
RE: List all properties the entire JavaScript environment! by Acidus at 9:03 am EST, Dec 14, 2007 |
Jello wrote: I know a usability guy that monitors any change to the DOM this way, to track mouse movements, clicks, etc. He generates reports he uses to stylize his web pages this way.
Why does he need to enumerate user functions to track DOM changes? He could just hook the onmousemove, onmousedown, onmouseup, onkeydown, etc events on top level objects like window or document.body to do so. If he is worried about event handlers "lower" in the DOM stopping propagation of the event, we could walk the tree and hook lower events. Or did you mean using setInterval() with a DOM walk to check for changes? Can you tell me more about whats going on, what he wants to track, and how he does it? |
|
| | | |
RE: List all properties the entire JavaScript environment! by Lost at 9:51 am EST, Dec 14, 2007 |
Acidus wrote: Jello wrote: I know a usability guy that monitors any change to the DOM this way, to track mouse movements, clicks, etc. He generates reports he uses to stylize his web pages this way.
Why does he need to enumerate user functions to track DOM changes? He could just hook the onmousemove, onmousedown, onmouseup, onkeydown, etc events on top level objects like window or document.body to do so. If he is worried about event handlers "lower" in the DOM stopping propagation of the event, we could walk the tree and hook lower events. Or did you mean using setInterval() with a DOM walk to check for changes? Can you tell me more about whats going on, what he wants to track, and how he does it?
I meant setInterval() with a DOM walk to check for changes in an AJAXy page, along with mouse events. I think thats how he does it. |
|
|
|