Tampermonkey XSS Warnings on Key validation script | API Devel…

Tampermonkey XSS Warnings on Key validation script

    • Retroscope [3245241]
    • Role: Civilian
    • Level: 17
    • Posts: 41
    • Karma: 4
    • Last Action: 4 hours
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Thread created on 12:05:44 - 29/03/24 (5 months ago)
    |
    Last replied 08:43:55 - 30/03/24 (5 months ago)
    I'm having trouble writing a script to prompt a user for their key, validate it, and then store it as a persistant variable.

    It can be achieved if the user clicks 'Always Accept' on a Tampermonkey warning screen. But that's ugly and would freak out anyone unfamiliar with userscripting.

    I've used scripts in the past that have done it silently.

    The only alternative I can think of is to just do a: Replace YOUR-KEY-HERE line inside the script itself. But again, that's not very friendly to anyone new to userscripting.

    Can anyone help?

    ~~~~~ Retroscope ~~~~~

    • mavri [2402357]
    • Role: Civilian
    • Level: 98
    • Posts: 1,021
    • Karma: 2,333
    • Last Action: 6 hours
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Posted on 13:19:31 - 29/03/24 (5 months ago)
    Post link copied to clipboard Copy post link
    > It can be achieved if the user clicks 'Always Accept' on a Tampermonkey warning screen. But that's ugly and would freak out anyone unfamiliar with userscripting.

    Where are you making the request to? Since you can just make a TornAPI request it shouldn't prompt for that.

    > Replace YOUR-KEY-HERE line inside the script itself. But again, that's not very friendly to anyone new to userscripting.

    You can use a "prompt" or have an input somewhere (example)

    mavri buys your stuff :P

    • Retroscope [3245241]
    • Role: Civilian
    • Level: 17
    • Posts: 41
    • Karma: 4
    • Last Action: 4 hours
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Posted on 15:36:30 - 29/03/24 (5 months ago)
    Post link copied to clipboard Copy post link
    Thanks for the replay, mavri.

    It's a test to get the mechanism in place for my code library.

    My code asks for a users Limited Access key with a prompt() then sets it into a granted tampermonkey GM variable (with 4.0 and legacy compatibility).

    Then it accesses a random endpoint like /user/?selections=properties and fails if it gets "code": 2,
    "error": "Incorrect key",
    back.

    This triggers the XSS warning.

    ~~~~~ Retroscope ~~~~~

    • Hemicopter [2780600]
    • Role: Civilian
    • Level: 67
    • Posts: 1,242
    • Karma: 3,109
    • Last Action: Now
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Posted on 17:20:19 - 29/03/24 (5 months ago)
    Post link copied to clipboard Copy post link

    Retroscope [3245241]

    Thanks for the replay, mavri.

    It's a test to get the mechanism in place for my code library.

    My code asks for a users Limited Access key with a prompt() then sets it into a granted tampermonkey GM variable (with 4.0 and legacy compatibility).

    Then it accesses a random endpoint like /user/?selections=properties and fails if it gets "code": 2,
    "error": "Incorrect key",
    back.

    This triggers the XSS warning.
    not really on topic, but you can use the key endpoint to find out how good the key is and even if it is limited

    https://api.torn.com/key/?selections=info&key=
    • tiksan [2383326]
    • Role: Civilian
    • Level: 100
    • Posts: 899
    • Karma: 1,213
    • Last Action: 41 minutes
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Posted on 21:34:30 - 29/03/24 (5 months ago)
    Post link copied to clipboard Copy post link
    You're probably missing the @connect GM tag in the userscript's headers. See https://www.tampermonkey.net/documentation.php?locale=en#meta:connect
    Last edited by tiksan on 21:34:45 - 29/03/24

    LnNwLrL.gif

    • Retroscope [3245241]
    • Role: Civilian
    • Level: 17
    • Posts: 41
    • Karma: 4
    • Last Action: 4 hours
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Posted on 08:31:58 - 30/03/24 (5 months ago)
    Post link copied to clipboard Copy post link

    Retroscope [3245241]

    Thanks for the replay, mavri.

    It's a test to get the mechanism in place for my code library.

    My code asks for a users Limited Access key with a prompt() then sets it into a granted tampermonkey GM variable (with 4.0 and legacy compatibility).

    Then it accesses a random endpoint like /user/?selections=properties and fails if it gets "code": 2,
    "error": "Incorrect key",
    back.

    This triggers the XSS warning.

    Hemicopter [2780600]

    not really on topic, but you can use the key endpoint to find out how good the key is and even if it is limited

    https://api.torn.com/key/?selections=info&key=
    That's good info to have, mate. Ty :)

    ~~~~~ Retroscope ~~~~~

    • Retroscope [3245241]
    • Role: Civilian
    • Level: 17
    • Posts: 41
    • Karma: 4
    • Last Action: 4 hours
      • 0
    • Reason:
      Are you sure you want to report this post to staff?
      Cancel
    Posted on 08:43:55 - 30/03/24 (5 months ago)
    Post link copied to clipboard Copy post link

    tiksan [2383326]

    You're probably missing the @connect GM tag in the userscript's headers. See https://www.tampermonkey.net/documentation.php?locale=en#meta:connect
    Yes that's likely it!

    I'd been toying with the @connect after seeing a related console message but couldn't get it working. I was flailing about in all diferent directions trying to find where I was failing, and I forgot to go back to it.

    I'll have a good read through the relevent Tampermonkey mans and then revisit it again. But I'm pretty sure you just hit the nail on th head, mate.

    Ty ?

    ~~~~~ Retroscope ~~~~~

Reply
Thread Title: