...

View Full Version : setTimeout()



Makien
06-25-2009, 03:40 AM
Can setTimeout() be blocked from working on a site? Is this possible?

Old Pedant
06-25-2009, 07:08 AM
Sure...just turn off JavaScript in your browser.

Of course, chances are pretty good that then the rest of the website won't work worth beans. <shrug>You pays your money and takes your choice.</shrug>

Makien
06-26-2009, 01:26 AM
Nice, yea that would work but I'm talking about a site being able to block a user from using it in a script. I wrote a script that pull info then adds a little back and everything works fine as long as I don't have setTimeout in the script. If I add it to the script it won't work, and I know how to use setTimeout pretty good, tested the script and it always falls back to the setTimeout which I think the sites blocking...

Old Pedant
06-26-2009, 05:27 AM
I can think of ways to do it. Depends on how your JS is being added to the site.

Hmmm...I wonder what happens if you simply define your own setTimeout( ) function? Will it hide the window.setTimeout() native function??

Philip M
06-26-2009, 08:07 AM
Why wonder?


<script type = "text/javascript">
function setTimeout(){
alert ("Boo!");
tim = setTimeout("setTimeout()",2000);
}

setTimeout()
</script>

But here's a lol -


<script type = "text/javascript">
function setTimeout(){
alert ("Boo!");
tim = setTimeout("",2000);
}

setTimeout()
</script>

Makien
06-28-2009, 12:20 AM
nope... I tried it like the way you have it and here's the outcome:


function setTimeout(){
alert ("Boo!");
tim = setTimeout("",2000);
}

setTimeout()


Doesn't work...



function setShoutout(){
alert ("Boo!");
}

setShoutout()


Works...


function setShoutout(){
alert ("Boo!");
tim = setTimeout("",2000);
}

setShoutout()


Doesn't work...


function setTimeout(){
alert ("Boo!");
}

setTimeout()


Doesn't work...

Anything that has SetTimeout in it doesn't work... even if you have:


alert ("I yelled: setTimeout");

You get back: "I yelled: "

randomuser773
06-28-2009, 12:58 AM
Anything that has SetTimeout in it doesn't work... even if you have:


alert ("I yelled: setTimeout");

You get back: "I yelled: "

When you're on that site, what happens if you type:

javascript:alert(setTimeout)

into the address bar and press Enter?

If it alerts 'native code', try adding this to your script immediately prior to where you would call setTimeout, then call st in place of setTimeout.

var st = window[unescape("%73%65%74%54%69%6d%65%6f%75%74")];

Philip M
06-28-2009, 07:37 AM
alert ("I yelled: setTimeout"); works in IE6.



<script type = "text/javascript">
function setTimeout(){
alert ("I yelled: setTimeout");
tim = setTimeout("setTimeout()",2000);
}

setTimeout()
</script>

Above also works in IE6 in that the alert "I yelled: setTimeout" shows, but the timeout triggers right away, even if the time is changed to a higher value such as 25000.

Conclusion: don't give a function the name of a Javascript method. I guess that similar problems would arise with functions 'checked()' or 'replace()' or parseInt()'.


<script type = "text/javascript">
function parseInt(){
x= 12.34
y = parseInt(x);
alert (y);
}
parseInt();
</script>

results in a stack overflow.

Old Pedant
06-29-2009, 03:43 AM
Philip: He means that ON THAT SITE, where he is dumping in his own JS code, they are suppressing setTimeout.

That would obviously be trivial to do if the user must supply his "site" code (including JS) as a text file that is then run by the site. They just mangle the code before allowing it to run. I *thought* he had implied that he is using a <script src="http://www.hissite.com/somecode.js">, but he didn't state that, so maybe I read too much into the post.

Hmmm...I guess even that wouldn't be too hard to mangle: They look for such "includes" and, instead of dumping them in directly, they pull them through their own filter.

That is, when they see
<script src="http://www.hissite.com/somecode.js">
they mangle it into
<script src="filterExternalJs.php?src=http://www.hissite.com/somecode.js">
or similar.

If you have to deliver text to them, they can pretty much mangle your code as much as they want.

rdspoons
06-29-2009, 08:30 PM
This kills the window setTimeout method by over-writing it.
uncomment the first line to kill setTimeout.



//window.setTimeout=new Function("return false");
function test(){
alert('setTimeout is working');
}
window.onload = function(){
setTimeout(test,100)
}

rnd me
06-30-2009, 02:59 AM
This kills the window setTimeout method by over-writing it.
uncomment the first line to kill setTimeout.



//window.setTimeout=new Function("return false");
function test(){
alert('setTimeout is working');
}
window.onload = function(){
setTimeout(test,100)
}


i doubt IE8 is gonna like that...
in ecma5 that's verboten as well.

Old Pedant
06-30-2009, 03:30 AM
Yeah, guys, but you are missing the point of the original poster.

He is trying to drop his JS code onto some website (Facebook??? Or similar?) and that site is killing all occurrences of setTimeout.

If you look at his post #6 in this thread, you'll see this:


Anything that has SetTimeout in it doesn't work... even if you have:


alert ("I yelled: setTimeout");

You get back: "I yelled: "

So that means that the site is looking for the *TEXT* "setTimeout" and wiping it out. Nothing to do with overwriting a function, apparently.

My fault for suggesting the overwrite of setTimeout in the first place, since it's not relevant to the actual question here.

rnd me
06-30-2009, 03:46 AM
... the site is looking for the *TEXT* "setTimeout" and wiping it out. Nothing to do with overwriting a function, apparently.


in that case, put on your XSS hat and hope we are smarter than they are.

Most likely, they are using some kind of a regexp to try to find "setTimeout", so don't say "setTimeout", make an alias:

try:

window.ST=window[String.fromCharCode(115,101,116,84,105,109,101,111,117,116)];

ST("alert('hello world')", 500);
tested FF3

if this doesn't work (though i bet it will), perhaps a different escape sequence can sneak by the filter.
google "xss cheatsheet" and try some of those techniques as well.

there's a million ways to deliver javascript; chances are you can find one that they overlooked!

Old Pedant
06-30-2009, 03:54 AM
Yeah, I think that's got a good chance of working. Since they clearly *are* searching for text "setTimeout" maybe they'll miss that.

I know another sneaky way: Use AJAX (well, XMLHTTP) to hit a service that does nothing but wait a given time. Or hit an invalid URL, on purpose, after setting a specified timeout on the XMLHTTP object. Ehhh...but if they are blocking setTimeout, they are probably blocking XMLHTTP.

Makien
06-30-2009, 04:10 AM
Whoa... go away for the weekend and comeback to tons of stuff lol. Thanks for all the posts and ideas so lets see if I can break it all down.

First I'm not going to mention the site because it's against their policy to use scripts (but everyone does). The site had some code changes lately so some of my codes where broken, they were easily fixed except one, the smallest one.

@randomuser773
Yea I did get the native code so setTimeout is working, but I don't know why they'd block this and not anything else, though a lot of scripts use setTimeout. I tried you code but it still doesn't work.

Here's the section of the code:

setTimeout("window.location.replace('" + rootPath + "trial_page.php')", 5000);

Here's what I tested:

var st = window[unescape("%73%65%74%54%69%6d%65%6f%75%74")];
st("window.location.replace('" + rootPath + "trial_page.php')", 5000);

also:

window.ST=window[String.fromCharCode(115,101,116,84,105,109,101,111,117,116)];
ST("window.location.replace('" + rootPath + "trial_page.php')", 5000);

None worked.

I also think Philip M is on to something when saying that setTimeout is being called to fast, even when changing the time. I think the site is using this somehow to block it, though that is an opinion.

I'll have to keep testing different things. I tried adding a pause in the script but that just cause the script to crash....

Old Pedant
06-30-2009, 06:05 AM
So have you tried using XMLHTTP??

I think the idea of purposely hitting a bogus URL (needs to be one that looks good but simply never responds) after setting a timeout on the XMLHTTP object would work, unless they are also blocking XMLHTTP, of course.

rnd me
06-30-2009, 11:19 AM
it's easier to block a method like replace() (for now) than prevent a property assignment.

try changing window.location.replace() to location.href="xxx.htm"...

randomuser773
07-02-2009, 03:26 AM
@randomuser773
Yea I did get the native code so setTimeout is working, but I don't know why they'd block this and not anything else, though a lot of scripts use setTimeout. I tried you code but it still doesn't work.

Here's the section of the code:

Here's what I tested:

var st = window[unescape("%73%65%74%54%69%6d%65%6f%75%74")];
st("window.location.replace('" + rootPath + "trial_page.php')", 5000);
It does not look as though standard functions are being nulled, so I would guess that they're filtering all keywords that could be used to perform undesirable actions. With that in mind, see if this has any effect:

function chRev( s )
{
return s.replace(/(.)(.)/g, "$2$1");
}

var st = window[chRev("esTtmioetu")];

st("window[chRev('olacitno')][chRev('erlpcae')]('" + rootPath + "trial_page.php')", 5000);



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum