Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
510 views
in Technique[技术] by (71.8m points)

javascript - Facebook如何禁用浏览器的集成开发人员工具?(How does Facebook disable the browser's integrated Developer Tools?)

So apparently because of the recent scams, the developer tools is exploited by people to post spam and even used to "hack" accounts.

(因此,显然是由于最近的骗局,开发人员工具被人们用来发布垃圾邮件,甚至被用来“破解”帐户。)

Facebook has blocked the developer tools, and I can't even use the console.

(Facebook阻止了开发人员工具,我什至不能使用该控制台。)

在此处输入图片说明

How did they do that??

(他们是怎么做到的??)

One Stack Overflow post claimed that it is not possible , but Facebook has proven them wrong.

(一篇Stack Overflow帖子声称这是不可能的 ,但是Facebook已经证明它们是错误的。)

Just go to Facebook and open up the developer tools, type one character into the console, and this warning pops up.

(只需转到Facebook并打开开发人员工具,在控制台中键入一个字符,就会弹出此警告。)

No matter what you put in, it will not get executed.

(不管您输入什么内容,都不会执行它。)

How is this possible?

(这怎么可能?)

They even blocked auto-complete in the console:

(他们甚至阻止了控制台中的自动完成:)

在此处输入图片说明

  ask by Derek 朕會功夫 translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I'm a security engineer at Facebook and this is my fault.

(我是Facebook的安全工程师,这是我的错。)

We're testing this for some users to see if it can slow down some attacks where users are tricked into pasting (malicious) JavaScript code into the browser console.

(我们正在为某些用户进行测试,以查看它是否可以减慢某些诱使用户将(恶意)JavaScript代码粘贴到浏览器控制台的攻击。)

Just to be clear: trying to block hackers client-side is a bad idea in general;

(只是要清楚一点:尝试阻止客户端的黑客通常是一个坏主意 。)

this is to protect against a specific social engineering attack .

(这是为了防止特定的社会工程攻击 。)

If you ended up in the test group and are annoyed by this, sorry.

(如果您最终参加了测试小组并为此感到烦恼,请对不起。)

I tried to make the old opt-out page (now help page ) as simple as possible while still being scary enough to stop at least some of the victims.

(我试图使旧的退出页面(现在是帮助页面 )尽可能简单,同时仍然令人恐惧,无法阻止至少一些受害者。)

The actual code is pretty similar to @joeldixon66's link ;

(实际的代码与@ joeldixon66的链接非常相似;)

ours is a little more complicated for no good reason.

(没有充分的理由,我们的情况会稍微复杂一些。)

Chrome wraps all console code in

(Chrome将所有控制台代码包装在其中)

with ((console && console._commandLineAPI) || {}) {
  <code goes here>
}

... so the site redefines console._commandLineAPI to throw:

(...因此该网站重新定义了console._commandLineAPI以抛出:)

Object.defineProperty(console, '_commandLineAPI',
   { get : function() { throw 'Nooo!' } })

This is not quite enough (try it!) , but that's the main trick.

(这还不够(尝试一下!) ,但这是主要技巧。)


Epilogue: The Chrome team decided that defeating the console from user-side JS was a bug and fixed the issue , rendering this technique invalid.

(结语:Chrome小组认为从用户端JS击败控制台是一个错误,并解决了该问题 ,使该技术无效。)

Afterwards, additional protection was added to protect users from self-xss .

(之后,添加了附加保护以保护用户免受self-xss的攻击 。)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...