Invisible code sticks forever [EN]

A few months ago, I read an article about brain training by learning a new language : very interesting story about William Alexander who failed to learn french but strenghten his brain trying to.

But this is not the subject of this post. As I finished to read the article, I tried to reach William Alexander’s website and was redirected to a crappy chineese online store. I immediately thought he was hacked and after reading the page source code, I find this piece of script :

<script type="text/javascript">
var language = navigator.browserLanguage?navigator.browserLanguage:navigator.language;
if (language.indexOf('en') > -1) document.location.href = 'javascript:void(0)';
document.location.href = '';

What’s going on here ? The code checks the browser language and redirects to the fraudulent site only if the language is anything other than english ! So, every time some non-english dude complains to William about this problem, William tries the site and accesses it successfully and just forget about it… The malicious code can stay here for months,  with just a little trick but very annoying result !

And for the record, I, of course, alerted William and he removed the malicious code …

2048 Gremlins [EN]

2048 le jeu

Do you know Gabriele Cirulli ? He is the 2048 game creator : a very famous game where you have to slide the numbered tiles to join same numbers, and cumulate them to obtain 2048 !

Now, do you know Gremlins.js ? A Javascript library made by Marmelab to brute force test web application : it’s like releasing on your app thousand gremlins clicking every where, typing non-sense input on keyboard, so they may detect breaches in your app.

Ok, so I mixed the two of them, and I get 2048Gremlins ! It’s like letting the gremlins play 2048 !

Disclaimer !

  • quick and dirty code here. I just wanted to show it’s possible 🙂
  • only for Firefox : sorry for webkits engine (chrome, safari, …) but keyboard simulation does only work in Firefox (until someone points me to the solution for webkit 🙂 )
  • Gremlins are bad at 2048 🙂 random isn’t a good strategy to access high scores 🙂

It was fun to hack those wonderfull projects and it made me learn more things about gremlins.js.