Comments on: Backbutton Overloading http://ajaxian.com/archives/backbutton-overloading Cleaning up the web with Ajax Thu, 17 May 2012 07:43:39 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: L-Argentine Erectile Dysfunction http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-253674 L-Argentine Erectile Dysfunction Wed, 08 Aug 2007 20:43:35 +0000 http://ajaxian.com/?p=1956#comment-253674 Totally agree with Mario Totally agree with Mario

]]> By: .mario http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245587 .mario Thu, 28 Dec 2006 00:28:22 +0000 http://ajaxian.com/?p=1956#comment-245587 Hi! Just came back from my holidays and recognized my link was posted. I read the comments and I came to the conclusion that the severity of this problem doesn't seem to be understood completely. I am currently employed as developer and security guy and i did a lot of research around xss, csrf and other web application vulnerabilities. I learned how to use tools like backframe in combination with a xss hole to remote control a whole site. If you manage to get a user on a vulnerable site with the backframe code applied you can use my snippet above to keep him from leaving the site AND you might be able to assure that he event won't notice. I think this is pretty severe and should be solved by browser vendors. If you have any questions regarding this issue, don't hesitate to contact me here or via my site. regards, .mario Hi!

Just came back from my holidays and recognized my link was posted. I read the comments and I came to the conclusion that the severity of this problem doesn’t seem to be understood completely.

I am currently employed as developer and security guy and i did a lot of research around xss, csrf and other web application vulnerabilities. I learned how to use tools like backframe in combination with a xss hole to remote control a whole site. If you manage to get a user on a vulnerable site with the backframe code applied you can use my snippet above to keep him from leaving the site AND you might be able to assure that he event won’t notice. I think this is pretty severe and should be solved by browser vendors.

If you have any questions regarding this issue, don’t hesitate to contact me here or via my site.

regards,
.mario

]]> By: José Jeria http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245545 José Jeria Mon, 25 Dec 2006 22:38:23 +0000 http://ajaxian.com/?p=1956#comment-245545 I think this is a great idea! I mean, force users to stay on a certain page! Great! The user will understand that he should not visit any other pages apart from the one having this script. I think this is a great idea! I mean, force users to stay on a certain page! Great! The user will understand that he should not visit any other pages apart from the one having this script.

]]> By: NICCAI http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245522 NICCAI Fri, 22 Dec 2006 21:06:35 +0000 http://ajaxian.com/?p=1956#comment-245522 If the previous page was an RSS feed in IE7, the back button works. :D If the previous page was an RSS feed in IE7, the back button works. :D

]]> By: Mark Kawakami http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245516 Mark Kawakami Fri, 22 Dec 2006 17:55:56 +0000 http://ajaxian.com/?p=1956#comment-245516 This is definitely a bad thing. At some point or another, the ability to disable or divert the back button is something every web app developer has wished they had for genuinely useful purposes, but I'm pretty sure that this would be used for far more nefarious purposes. I bet an update to prevent this will make its way into Firefox soon and the other browsers will have to follow suit, so I'm not going to bother with using this for anything because it's going to stop working soon. What scares me is that it raises a lot more potential for dangerous XSS attacks. What bothers me is that onunload is supposed to be for cleanup and such, but not for preventing the action that led to the event being fired, which this does, so it really strikes me as a bug. This is definitely a bad thing. At some point or another, the ability to disable or divert the back button is something every web app developer has wished they had for genuinely useful purposes, but I’m pretty sure that this would be used for far more nefarious purposes. I bet an update to prevent this will make its way into Firefox soon and the other browsers will have to follow suit, so I’m not going to bother with using this for anything because it’s going to stop working soon.

What scares me is that it raises a lot more potential for dangerous XSS attacks. What bothers me is that onunload is supposed to be for cleanup and such, but not for preventing the action that led to the event being fired, which this does, so it really strikes me as a bug.

]]> By: Michael Geary http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245514 Michael Geary Fri, 22 Dec 2006 16:28:44 +0000 http://ajaxian.com/?p=1956#comment-245514 If you want to keep a visitor from leaving your page by clicking a link, there's a much better way to do it: Don't have any links on your page! D'oh! If you want to keep a visitor from leaving your page by clicking a link, there’s a much better way to do it:

Don’t have any links on your page! D’oh!

]]> By: Dougal http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245508 Dougal Fri, 22 Dec 2006 14:05:06 +0000 http://ajaxian.com/?p=1956#comment-245508 Doing that is about as good as a window opening itself onLoad (then ofcourse that starts a loop)... and then you make the window not open noe, but 2 or 4 versions of itself. i remember when i was about 14 and learning javascript doing that to annoy somebody... Doing that is about as good as a window opening itself onLoad (then ofcourse that starts a loop)… and then you make the window not open noe, but 2 or 4 versions of itself. i remember when i was about 14 and learning javascript doing that to annoy somebody…

]]> By: ARWolff http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245507 ARWolff Fri, 22 Dec 2006 13:57:13 +0000 http://ajaxian.com/?p=1956#comment-245507 Rather than simply keeping the user on the current page, might one overload the "back" button to do what s/he expects, coming from the paradigm of pre-Ajax Web apps? That is, might it "undo" the last create/update/delete action executed via XHR? Maybe this feature belongs in a framework. I can imagine an "event stack," where appropriate "undos" are registered for each C/U/D action, and the Back button executes and discards the top of the stack ... Rather than simply keeping the user on the current page, might one overload the “back” button to do what s/he expects, coming from the paradigm of pre-Ajax Web apps? That is, might it “undo” the last create/update/delete action executed via XHR? Maybe this feature belongs in a framework. I can imagine an “event stack,” where appropriate “undos” are registered for each C/U/D action, and the Back button executes and discards the top of the stack …

]]> By: Spolster http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245506 Spolster Fri, 22 Dec 2006 13:54:35 +0000 http://ajaxian.com/?p=1956#comment-245506 The onunload event can be useful for cleaning up upon leaving a page, such as saving recent changes. Unfortunately, providing this power leaves the user open to malicious scripts (which mostly, I think, would be off the annoying rather than data collecting kind since, as in Philip's example above, some other kind of exploit would be required to do anything seriously malicious). The onunload event can be useful for cleaning up upon leaving a page, such as saving recent changes. Unfortunately, providing this power leaves the user open to malicious scripts (which mostly, I think, would be off the annoying rather than data collecting kind since, as in Philip’s example above, some other kind of exploit would be required to do anything seriously malicious).

]]> By: Philip Tellis http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245501 Philip Tellis Fri, 22 Dec 2006 13:09:15 +0000 http://ajaxian.com/?p=1956#comment-245501 Ok, so the example shows how to keep people at your site, but that isn't really the worst use of this method. It could actually be used to compromise a user's security by redirecting them to an evil site when they think they're clicking on a good site. An input form with bad validation, for example, could allow a user to add javascript that hijacks the onunload with a redirect to an evil url. The redirect would pass the correct url as a parameter to this evil url. evil site then uses this url to fetch the good site, changes the html to do bad things, and shows it to the user. naïve user doesn't realise that he's not at goodsite.com, but at evilsite.com (maybe because the link actually pointed to http://www.goodsite.com-foobar-blah@evilsite.com/) and gives away some critical data. Ok, so the example shows how to keep people at your site, but that isn’t really the worst use of this method. It could actually be used to compromise a user’s security by redirecting them to an evil site when they think they’re clicking on a good site.

An input form with bad validation, for example, could allow a user to add javascript that hijacks the onunload with a redirect to an evil url. The redirect would pass the correct url as a parameter to this evil url. evil site then uses this url to fetch the good site, changes the html to do bad things, and shows it to the user.

naïve user doesn’t realise that he’s not at goodsite.com, but at evilsite.com (maybe because the link actually pointed to http://www.goodsite.com-foobar-blah@evilsite.com/) and gives away some critical data.

]]> By: Rob Cluett http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245500 Rob Cluett Fri, 22 Dec 2006 12:59:18 +0000 http://ajaxian.com/?p=1956#comment-245500 Thanks for posting! In my opinion, this is a horribly bad thing which does annoys me! Why keep someone around if they are trying to leave your site? It only irritates them and makes them think twice about coming back. Unuforunately this is a cheap and rude way at gaining extra page hits : ) Thanks for the post... Thanks for posting! In my opinion, this is a horribly bad thing which does annoys me! Why keep someone around if they are trying to leave your site? It only irritates them and makes them think twice about coming back. Unuforunately this is a cheap and rude way at gaining extra page hits : ) Thanks for the post…

]]> By: DJP http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245499 DJP Fri, 22 Dec 2006 12:48:40 +0000 http://ajaxian.com/?p=1956#comment-245499 The "No-script" plugin for Firefox is usefull in that case... :] The “No-script” plugin for Firefox is usefull in that case… :]

]]> By: Kalle http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245498 Kalle Fri, 22 Dec 2006 12:37:22 +0000 http://ajaxian.com/?p=1956#comment-245498 To be honest, I don't like that "keep a user around against their will"-part. To be honest, I don’t like that “keep a user around against their will”-part.

]]> By: Simon Jia http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245497 Simon Jia Fri, 22 Dec 2006 12:37:11 +0000 http://ajaxian.com/?p=1956#comment-245497 hmm... what's the point of destroying your user's will? Oh, i know, to piss them off The up side i see is that if you have an application that has some Ajax pieces built in, and you don't want them going back and force and loose the look and feel, then it might be useful, but this is really taking it to the extreme. hmm… what’s the point of destroying your user’s will? Oh, i know, to piss them off
The up side i see is that if you have an application that has some Ajax pieces built in, and you don’t want them going back and force and loose the look and feel, then it might be useful, but this is really taking it to the extreme.

]]> By: Dave http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245496 Dave Fri, 22 Dec 2006 12:35:50 +0000 http://ajaxian.com/?p=1956#comment-245496 I clicked the Google link, then viewed the source. It showed me the source for Google and not the inescapable page. Could be handy for a tool to view the source of other pages, while not leaving one. I clicked the Google link, then viewed the source. It showed me the source for Google and not the inescapable page. Could be handy for a tool to view the source of other pages, while not leaving one.

]]> By: AndiSkater http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245495 AndiSkater Fri, 22 Dec 2006 12:35:15 +0000 http://ajaxian.com/?p=1956#comment-245495 Does not work in Safari. If you use the back button, if just works as usual. Even if this worked, you would still have the problem that the page would be reloaded and all JavaScript variables and objects were gone. Does not work in Safari. If you use the back button, if just works as usual. Even if this worked, you would still have the problem that the page would be reloaded and all JavaScript variables and objects were gone.

]]> By: Wouter http://ajaxian.com/archives/backbutton-overloading/comment-page-1#comment-245494 Wouter Fri, 22 Dec 2006 12:27:07 +0000 http://ajaxian.com/?p=1956#comment-245494 It is not entirely foolproof. If you keep bashing the back button, it will eventually go back to the previous visited page. Not only that, it will add a history for that page. In other words: if you push forwards, you stay on the same page. (I found this out because I am an extrmely angry and impatient person 8P ) It is not entirely foolproof. If you keep bashing the back button, it will eventually go back to the previous visited page. Not only that, it will add a history for that page. In other words: if you push forwards, you stay on the same page.

(I found this out because I am an extrmely angry and impatient person 8P )

]]>