Spy, one of typical RemoteScript hacks:

Hijacking web sites with bookmarking


(by Mark Qian, 5/1/2015)

A. Introduction


"Hijacking" is a negative word but in some application, you do need to have your codes "work on and even take over any web site".

You may ask: Why do I need to have my codes "work on any web site"? Well, in some case, you do need to apply your own logic on pages from other's servers.

One typical application is IMShopping.com where they need to have their users to snapshot some listed items from any web site and then they can process the information obtain from those web sites. So they do need to have any page on other's site to load their own script to do that.

In order have your own codes (from your site) "invade" others' page (from other's sites), you need to face two blockers:
  1. How to have the browser to load codes from your web site instead of the original site?
    It seems no way: a page loaded from others' sites won't contain your codes or any links to your site and how can your end users access your codes? The solution is using some "special" bookmarks. You can inject some javascript as a "hook" to your codes. Normally, bookmarks are used to mark urls but the "special" bookmarks contain javascript instead of url so that the javascript is executed when your end users click at the bookmark. Most popular browsers also allow bookmarks appear as items in the toolbar. By installing the "hook" to your codes as items in the browser toolbar, you can easily provide a way to switch the loading flow from the original web site to yours.
  2. How to communicate back to your site?
    So far you may feel that is: what else? Do you know "the same origin" security policy of browsers? Under the policy, objects and pages can not access data from different servers. Since the original page is loaded from other's sites so that you can not make calls back to your server if you still want to access any element (loaded from other's sites) on the page using means like AJAX. In this case, you need to use JSONP or "Dynamic scripting" to break the "the same origin" security policy. (see details about "Dynamic scripting" in my article Building an AJAX Application (1): It isn't called AJAX but Remote Scripting


B. OK, let's try it now to see how you can do something on web site like google.com!

(An application of the hacking approach above)

To try it out, please do following:

To add Spy bookmarks to your IE toolbar, please do the following
  1. Right mouse click at this link: Spy.
  2. Select "Add to Favorites".
  3. Select "Links" from the Favorites list.
  4. Make sure that your "Links" is enabled in your IE's command bar. You can right mouse click at the command bar at the top of IE and select "Customize Command Bar" and enable it if it is not.
To add Spy bookmarks to your Firefox toolbar, please do the following
  1. Right mouse click at this link: Spy.
  2. Select "Bookmark This Link".
  3. Select "Bookmarks Toolbar" Folder and click at "Done" button.
To add Spy bookmarks to your Chrome toolbar, please do the following
  1. Right mouse click at this link: Spy.
  2. Select "Copy link address".
  3. Select the options button and choose "Bookmarks".
  4. Select "Book mark this page".
  5. After you see the bookmark dialog popped up, you can click at "Edit" button
  6. Next, change the name of the bookmark to "Spy" and right click at the url field then select "Select All".
  7. Finally paste the bookmark address you copied to the clipboard to the url field and click at "Save" button.
To send Spys to a page , please do the following
  1. Navigate to your favorite page like claigslist page , like http://sfbay.craigslist.org/sby/fuo/
  2. Click at the bookmark "Spy" on the browser toolbar.
  3. Just wait for several of seconds. And the bugs will fly out!!

Back to Mark Qian's home page