第十二周
2022-08-08 ~ 2022-08-14
Algorithm1
Algorithm2
Review
Checking if a JavaScript native function is monkey patched
这篇文章介绍了如何检测原生 jsapi 是否被覆盖,其中有一个思路是当你拥有整个页面的完全控制权时,可以在页面的最前面去保留一个 api 的引用,然后后续通过全等号去判断前后 2 个引用地址是否相同来判断是否被覆盖了
<html>
<head>
<script>
// Store a reference of the original "clean" native function before any
// other script has a chance to modify it.
// In this case, we're just holding a reference of the original fetch API
// and hide it behind a closure. If you don't know in advance what API
// you'll want to check, you might need to store a reference to multiple
// `window` objects.
(function () {
const { fetch: originalFetch } = window;
window.__isFetchMonkeyPatched = function () {
return window.fetch !== originalFetch;
};
})();
// From now on, you can check if the fetch API has been monkey patched
// by invoking window.__isFetchMonkeyPatched().
//
// Example:
window.fetch = new Proxy(window.fetch, {
apply: function (target, thisArg, argumentsList) {
console.log("Fetch call intercepted:", ...argumentsList);
Reflect.apply(...arguments);
},
});
window.__isFetchMonkeyPatched(); // → true
</script>
</head>
</html>
起初看到这个方法的时候,想说 defineProperty 是否可以绕过,但是经尝试,是不可以的:
(function () {
const { fetch: originalFetch } = window;
window.__isFetchMonkeyPatched = function () {
return window.fetch !== originalFetch;
};
})();
Object.defineProperty(window, "fetch", {
get() {
return 1;
},
});
据此猜测Object.defineProperty是会改变原有属性的指针的,查阅 MDN 文档并没有找到相关介绍
后面尝试了Object.assign,倒是可以成功绕过,但是没有想到如何利用该方法去注入恶意代码
Object.assign(window.fetch, { a: 1 });
Tips
最近在刷算法的时候发现了一些位操作符的妙用,搜了一下,有人整理了一些,其中也有我经常用的~~4.2 ==> 4这样的,最近学到的一个找到中间位置的操作是:
var len = nums.length;
var mid = len >> 1;