1

This is an extension of Brock Adams answer regarding the detection of userscripts by web administrators. Found here: link

What I'm going to discuss is hypothetical, as obviously avocation of this is not likely good behaviour.

Now. Userscripts in browser games. Let's take any browser game such as Neopets.

If you build a big fancy script to automate processes on any given neopets page, you likely need a control menu to activate various functions. One may use a floating iframe, or just add buttons on the page itself and hook them all up in the userscript.

The issue with this is that you're still changing the page itself, through addition or modification. Any administrator looking for scripts can check for triggered DOM manipulation events, could count iframe/input tags, etc.

My question is therefore, to minimize detection by administrators, how can you control different functions of a userscript running on a page without elements being added to the page itself (DOM)?

Community
  • 1
  • 1
Edge
  • 2,456
  • 6
  • 32
  • 57
  • Use Greasemonkey's userscript menu, or open a new tab for the controls and message the results back to the script. – Brock Adams Mar 20 '14 at 02:02
  • Scripts that may also be used under Tampermonkey and other variants in some browsers may have a hard time accessing the GM menu. I don't know much about it. – Edge Mar 20 '14 at 02:46
  • I'd also like to know more about isTrusted. I know it doesn't work in Chrome/Chromium, so does that mean that any browser games that try to use it against you won't be able to do so if you use Chrome? – Edge Mar 20 '14 at 03:10
  • I suppose using hotkeys to trigger functions could work too – Edge Mar 20 '14 at 04:22
  • I'd like to bump this. It's something I'm still trying to find an answer too, without relying on Greasemonkeys internal menu. – Edge Jul 18 '14 at 02:38
  • Use the messaging technique, or sabotage any page javascript that tries to detect or report meddling (May be harder to do in Chrome). Or better yet, don't worry about it until it actually happens and say 15 "Hail Mary"s for thinking about getting into a silly war with a hypothetical webmaster this way. For such a site in real life, either pay-up or find, or make, a better site. – Brock Adams Jul 18 '14 at 04:34
  • Does Stack have a private messaging system? Brock, you're everywhere and you're brilliant. I'd love to pick your brain outside of the contraints of the stack commenting system. – Edge Jul 18 '14 at 05:39
  • No SO/SE has no private messaging system (thank God, see meta for why). You can invite others to chat, and that can be harder to find but it's still public. Also, I'm loath to spend any time on this topic right now -- got a backlog of paid and/or interesting projects. This subject is currently too much effort for too little reward and not interesting/fun for "recreational" answering, by my present standards, neither. – Brock Adams Jul 18 '14 at 05:54
  • Fair enough. At any rate, the site I'm developing userscripts for I get the feeling sneakily inserts a detection script sporadically, although I have yet to find any detection system in their 80,000 line JS that's included consistently. – Edge Jul 18 '14 at 05:59
  • That's easy. Make a script that snapshots and/or CRC's all the ` – Brock Adams Jul 18 '14 at 06:04
  • That's the conclusion I came to as well. Is it possible for browser addons (either Firefox or Chrome) to make 'script initiated' clicks that appear more legitimate than a initMouseEvent or click()? Eh, I'm probably going off topic. I'll leave you to your business. :3 Thankyou Brock, you continue to provide good insights. – Edge Jul 18 '14 at 06:09
  • See http://stackoverflow.com/questions/11456705/are-events-generated-by-firefox-extension-trusted – Brock Adams Jul 18 '14 at 06:12
  • Why is it only FF that can detect those – Edge Jul 21 '14 at 02:47
  • I didn't say *only* FF could, but FF supports `beforescriptexecute` and Chrome doesn't. – Brock Adams Jul 21 '14 at 03:13

0 Answers0