Keeping Javascript from leaking browser/system information

Keeping Javascript from leaking browser/system information - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Forum Related (/forumdisplay.php?fid=37)
+--- Forum: Proxomitron Program (/forumdisplay.php?fid=4)
+--- Thread: Keeping Javascript from leaking browser/system information (/showthread.php?tid=2260)

Keeping Javascript from leaking browser/system information - Greyhat Harry - Jan. 18, 2016 01:38 AM

Hello there.

How would I go about creating a web filter that would prevent information pertaining both browser and system from being undisclosed by this particular page: https://www.browserleaks.com/javascript ?

I've tried both "Kill Nosey JavaScripts" and "Hide Browser's Identity from JS", but to no avail.

Browsing with Opera 12.14.

Thanks for your time and sorry for the inconveniences.

RE: Keeping Javascript from leaking browser/system information - JJoe - Jan. 19, 2016 05:34 AM

First merge

Code:

[HTTP headers]

In = TRUE

Out = FALSE

Key = "Content-Type: Fix application/javascript (In)"

Match = "application/javascript"

Replace = "text/javascript; PrxMsg: Fixed acc. to Original: application/javascript"

(Jan. 18, 2016 01:38 AM)Greyhat Harry Wrote: How would I

Quick easy answer is, enable "Disable JavaScript". Wink

You can block suspect scripts but they can rename or obfuscate them.

You can rename like

Code:

Name = "Stop OnMouseOver events"

Active = FALSE

Limit = 20

Match = "onmouseover="

Replace = "OnPheasantOver="

but they can obfuscate "onmouseover=".

Sometimes you can specify a value before they can read it.

Code:

Name = "Hide Browser's Referrer from JS"

Active = TRUE

Limit = 15

Match = ".referrer"

Replace = ".referrer.substr(0,0)+"\u""

Unfortunately, preventing disclosure may mark you as unique...

You might find https://www.torproject.org/projects/torbrowser/design/ interesting.

(Jan. 18, 2016 01:38 AM)Greyhat Harry Wrote: I've tried both "Kill Nosey JavaScripts" and "Hide Browser's Identity from JS", but to no avail.

"Kill Nosey JavaScripts" missed due to its bounds.
"Hide Browser's Identity from JS" miss was due to the server's use of the application/javascript content type. The header filter you merged changes application/javascript to

Code:

Content-Type: text/javascript; PrxMsg: Fixed acc. to Original: application/javascript

HTH

RE: Keeping Javascript from leaking browser/system information - Greyhat Harry - Jan. 22, 2016 02:48 AM

Thank you JJoe! that's exactly what I needed. Sorry also about the delay.

I understand there's no silver bullet when it comes to this, but figuring things out on a per-page basis (while following the pattern you've provided), is good enough for the kind of task I have before me. Truth to be told, there's hardly any website for which I'd bother turning javascript on (the page I've linked to isn't one of them, yet it's technically very similar to the one I'm actually interested in), and everything else I handle with bare, minimum functionality.

As touching uniqueness, not a problem in this case either, though I personally lean towards full secrecy, for even plausible deniability has limited value where the rule of law's been systematically trodden under foot.

RE: Keeping Javascript from leaking browser/system information - ProxRocks - Jan. 22, 2016 09:40 AM

(Jan. 19, 2016 05:34 AM)JJoe Wrote:
(Jan. 18, 2016 01:38 AM)Greyhat Harry Wrote: How would I

Quick easy answer is, enable "Disable JavaScript".

You can block suspect scripts but they can rename or obfuscate them.

Greyhat Harry,

you really will find that your *BEST* answer really is to DISABLE JAVASCRIPT !!!...
only use javascript on the HANDFUL of sites that you REALLY 'need it'...

you will find that you are chasing your tail "trying" to block suspect scripts...
and that the ONLY time that you even find yourself trying to block them is *AFTER* they already did what they saught out to do...
so in a sense, WHY even block it after-the-fact, the "damage is already done"...

RE: Keeping Javascript from leaking browser/system information - Greyhat Harry - Jan. 24, 2016 02:47 AM

I know virtually not a thing about javascript other than the fact that it's interpreted and mostly used for evil purposes, but having a programming background, I recalled my TRS-80 Model I Basic days, and I figured there may be certain statements available to Opera's implementation of the language that could potentially be parsed out so that they won't be used at all by the script. Kind of like the classic "mem" which reveals whatever amount of memory's available to the program, and failing to use it would render it unable to tell one way or the other about this particular aspect of the system.

I started using Proxomitron many moons ago, about the time I came across another app (now defunct and virtually useless, unlike good ole' Proxo) called Multiproxy, and I even managed to interface them together, but not once did I ever touch javascript, only html, thus all I needed was a lil push in the right direction Smile!