Hacker News new | ask | show | jobs
by justin_oaks 1006 days ago
Many of the use cases mentioned are available through a single tool called CyberChef.

There is an online version [1] but it doesn't submit any data to any servers. It only loads JS for the operations it needs to perform.

You can also download it and run it offline [2]. This is what I do.

I'll leave it up to you to decide if this makes QuaranTab unnecessary or if it's the perfect reason to use QuaranTab.

[1] https://gchq.github.io/CyberChef/

[2] https://github.com/gchq/CyberChef/releases/
2 comments
boarnoah 1006 days ago
This extension is still very cool.

+1 to Cyberchef, its awesome. If you really have qualms about the URL its trivial to re-host / serve it to yourself offline.

My favorite part is whole recipe feature (Cyberchef builds a URL with the configured processors you use to process data).

I find myself using that a ton to share XPath / JPAth expressions type work with sample data to others by sharing that URL.

link
lxgr 1006 days ago
I've been curious about this: Is there a way to exfiltrate data from a locally downloaded single page application?

Due to the same-origin principle, plain XHR and similar should be out, but what about CORS or script/image embedding with query parameters?

link
justin_oaks 1005 days ago
Data exfiltration works just fine with a locally downloaded SPA. There's Script/image embedding as you mention. There's also iframes and form submissions.

As for XHR, the same-origin principle doesn't prevent the request from going out; it prevents the response from being readable by the page. Even so, a remote site can add the right CORS headers to allow access from anywhere, and your browser will happily send the data out AND allow the page to read the response.

You could probably mitigate most, if not all, exfiltration using a CSP [1] that you manually add to the HTML meta tag.

The reason for using a local copy is so once I verify that the copy I have is "clean" (either built myself or reviewed, and confirmed to not send data out) then I can trust that version until I replace it.

If I load data from a website, there are no guarantees that I don't get a different version every time.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

link
wazzaps 1005 days ago
It's possible if the destination allows it, like Google Analytics
link
halJordan 1006 days ago
I know this won't land well, and certainly it's a good option, but there's a terrific and hilarious irony in someone saying "I don't really trust the third parties with my non public data" And you're like, yeah use the one tool that's built and maintained by a literal spy agency.
link
justin_oaks 1005 days ago
Yeah, that one has been argued to death in other places. And people bring that up about Ghidra, the reverse engineering tool developed by the NSA. I look at these tools suspiciously too.

Even so, the irony is only shallow. I haven't yet found a suitable reason not to use such tools if they're not sending out data, regardless of where the tools come from. The FAANG companies are far better at collecting your data, and do so brazenly.

link