The destination URLs can't be known beforehand if they are generated
runtime.
They are generated after a Javascript function is executed, and the JS code
is executed only after a certain event appears, for example an onClick or
something else.
I think that it is not a security problem to just visit an evil web site if
a good and secure browser is used.
If a browser is not secure, then this is the security issue, not the fact
that the user visits a bad site. So I don't think a JAWS script can improve
the security this way.
These are my thoughts when speaking about just clicking on links and opening
web pages as usually.
In other cases, where more complex attacks are involved, allowing for
example the attackers to insert on a good site evil Javascript code that
makes unwanted POST requests with the permissions of the currently
authenticated user, it is something else. The problem in that case is that
site that has vulnerabilities, but a JAWS script can't improve the security
in that case either.
--Octavian
----- Original Message -----
From: "Jonathan Cohn" <jon.c.cohn@xxxxxxxxx>
To: <jawsscripts@xxxxxxxxxxxxx>
Sent: Sunday, January 05, 2020 5:08 PM
Subject: [jawsscripts] Re: A scripting browser problem!!!
Doesn't the WAVE accessibility tool provide a way to list links and the
destinations in them?
Also, often newer pages use a addEventListener() function and not a
onClick attribute. If a event handler is defined using this function I
expect there would be no way for an external application to examine this.
Though the developer tools for Chrome, Safari and Firefox do appear to
have ways of auditing, are there any Security services similar to the
accessibility audits often used by accessibility firms?
Best wishes,
Jonathan Cohn
On Jan 3, 2020, at 4:05 PM, Octavian Rasnita <orasnita@xxxxxxxxx> wrote:
Will that JAWS script also work if the HTML code would be:
<script>function
goToFreedomScientific(){location.href='http://www.evil.com/';}</script>
<a href=http://www.freedomscientific.com/
onclick="javascript:goToFreedomScientific();return
false;">freedomscientific.com</a>
...because if a site is evil, probably its creators will be able to do
even
worse things than this.
--Octavian
----- Original Message -----
From: "Shan Noyes" <shan.noyes@xxxxxxxxxxx>
To: <jawsscripts@xxxxxxxxxxxxx>
Sent: Friday, January 03, 2020 10:13 PM
Subject: [jawsscripts] A scripting browser problem!!!
Hi folks:
First I should say that I'm a relatively new Jaws scripter. I done some
pretty simple scripts like writing key commands that will look at a
web
page and read certain areas etc.
Anyways, I work in computer security and one of the things we check is
where are links going to take one too. E.g. an evil person can make the
link so it looks like when you click on it you would be going to say
Freedom scientific's site, but in the html code it actually takes you to
an evil site.
e.g.
the html code for the link would read.
<a href=http://evilsite.com>Freedom Scientific</a>
The place that one goes to is specified by the href statement, but jaws
reads to the user the info after the evilsite>
A sighted person can get this info of where the link will take you by
merely hovering the mouse over the link and it displays the location on
the screen.
Anyways, to get this info as a jaws user one puts the virtual cursor on
the link text, then issues the windows application key and selects the
option for copy link. Then one can go to say notepad and paste the
clipboard and voila you see that the link that says freedom scientific
is
actually going to take you to the evilsite
Way to many steps.
I've have written the following little script and it actually works.
Well
most of the time.
Here's the script. And then I'll ask my questions.
Script CopyRealLink ()
SayString("Please wait")
{shift+f10} ; is the windows application key sequence
pause ()
{ e} ; is the option for copy link
EndScript
This works and one can see where the freedom scientific site will go to
the evilsite.com instead of switching and pasting the link results into
a
notepad as stated above I tried the virtual clipboard with the jawskey +
spacebar then the letter c. and the evilsite link shows up.
Its really cool.
My questions:
1. Rather then having to do the jawskey + spacebar then the letter c to
get the clipboard viewer up I would like to add this into my script. So
should I try and do this via keyboard input or hat script or fuction
should I be calling? I've started reading through various default jaws
.jss files but haven't found what I think is the answer.
2. Anyone familiar with how to flush or clean out the virtual viewer
after one has read it?
Thanks for any and all of your assistance.
Have a good day.
Shan Noyes Technical Analyst - Systems Security
GIAC
W: 306 777-4830
C: 306 533-1440
NOTICE: This confidential e-mail message is only for the intended
recipients. If you are not the intended recipient, be advised that
disclosing, copying, distributing, or any other use of this message, is
strictly prohibited. In such case, please destroy this message and
notify
the sender.
__________ÄĹźË
View the list's information and change your settings at
//www.freelists.org/list/jawsscripts
__________ÄĹźË
View the list's information and change your settings at
//www.freelists.org/list/jawsscripts
__________ďż˝
View the list's information and change your settings at
//www.freelists.org/list/jawsscripts
