1

I'm building a security framework which injects a javascript file which will always be executed first, and blocks some functions to be executed. The developers will make their own webapps and the script will make sure that some functionalities cannot be called.

Let's suppose the "blocking" script is like this:

window.alert = function(){Object.freeze(this)}

Is there any way for an application to circumvent this block, without using iframes/external files? delete(window.alert) doesn't work in this scenario.

Ambi
  • 513
  • 1
  • 6
  • 18
  • You've overwritten the alert method, so no, there's no longer any way to get the original alert back. – adeneo May 06 '15 at 13:37
  • When calling `alert()`, first `Object.free` then original JS `alert` function shall be executed, right? – sp00m May 06 '15 at 13:37
  • 1
    You could write a new window alert method and have it output to the console or display in an HTML element visible on your page. – Surreal Dreams May 06 '15 at 13:38
  • If you only need `alert()` to annoy the users, you can as well use `prompt()` (if it hasn't been overwritten) – maja May 06 '15 at 13:44
  • alert() was just an example for a more general concept @maja – Ambi May 06 '15 at 13:47
  • it might make more sense and help more people to explain the issue if the actual `alert` thing is just an example – atmd May 06 '15 at 13:48
  • If you are absolutly sure that your code is always run first, you only have to ensure that you don't forget to freeze/remove everything that might get dangerous (which might be a harder task) – maja May 06 '15 at 13:56

3 Answers3

2

not if you can't stop that script running first, otherwise you could asign the original alert to something else:

var oldAlert = window.alert;
window.alert = function(){Object.freeze(this)}

How/why are you using alert? if its for debugging you'd be better off using console.log. if you are using it to notify users then maybe a dedicated modal would be the better option

Based on your updated question, it depends how your framework is loaded.

Lets say you provide the script to the developer to use, in that case they could very easily alter what your script does. if the code is running on in a env that isn't yours then you can assume it's not secure. browser plugins can block scripts, there would bypass any security based in a javascript file.

atmd
  • 7,430
  • 2
  • 33
  • 64
  • Follow up question: if override the alert right at the beginning of HEAD, is there any way to execute code before it (assuming the first script inside head will always be the alert-blocking one) ? Maybe some event I ignore of the kind of onLoad() Thanks! – Ambi May 06 '15 at 13:45
  • 1
    javascript is executing in order, just write it in the order you want it to run – atmd May 06 '15 at 13:47
  • But the point is that I cannot change the order, the script will always be first. In this case then I can't do anything? – Ambi May 06 '15 at 13:48
  • 1
    can you fully explain the problem you have hit, as it sounds like overwriting alert is just a basic example. why cant you change the order?, are they auto generated?, is it a cms? the more info the better the answer – atmd May 06 '15 at 13:49
1

based on the work of @Abdennour TOUMI on this post : Opposite of Object.freeze or Object.seal in JavaScript, you can do something like that : 

window.alert = function(){Object.freeze(this)} ;

Object.unfreezeAlert=function(){
       return window.prompt;
 }

window.alert = Object.unfreezeAlert(window.alert);
alert ('test4');

http://jsfiddle.net/scraaappy/pxv51zqg/

Community
  • 1
  • 1
scraaappy
  • 2,830
  • 2
  • 19
  • 29
  • however, I've noticed a strange behavior I've notified in the fiddle – scraaappy May 06 '15 at 21:11
  • Yeah and moreover you are replacing an alert with a prompt, so the alert is actually still blocked. – Ambi May 07 '15 at 09:19
  • no, that's not the trouble. See the fiddle, alert is currently re-activated (thanks to @Thom Smith), but check comment in it , there is a unexpected behavior : if you call alert before trying to unfreeze, it won't work. I'm interested if you have any explanation about that. Anyway I though the interest was mainly to reaffect alert method rather than reactivate it. – scraaappy May 07 '15 at 10:46
0

You need to set the alert property on Window.prototype, not on window. Otherwise:

Window.prototype.alert.call(window, 'This works.');
Thom Smith
  • 13,916
  • 6
  • 45
  • 91
  • 1
    Thanks, this actually made the alert appear! I don't know why you're getting downvoted. – Ambi May 06 '15 at 16:01
  • @Thom Smith really sorry for the downvote (playing with my mouse during a phone call...) again I used your code to update my fiddle. Apparently I can undo to upvote during 24h unless you edit your answer... sorry again – scraaappy May 06 '15 at 20:46