hack JavaScript web SPA

Hacking a web page's JavaScript

I recently acquired a Logitech Spotlight Presentation Remote to help me during my presentations. While some conferences propose clickers to speakers, not all of them do. And it’s quite inconvenient to be bound to the laptop to advance to the next slide when presenting, as I like moving around in general. When I received the remote, I was eager to test it, and I was happy to assert it worked on Google Slides. The root issue I went to a meetup just afterwards, and I couldn’t help no

javascript hack

Bypassing Javascript checks

Nowadays, when a webapp offers a registration page, it usually duplicates the password field (or sometimes even the email field). By having you type the password twice, it wants to ensure that you didn’t make any mistake. And that you don’t have to reset the password the next time you try to login. It makes sense if you actually type the password. Me, I’m using a password manager. That means, I do a copy-paste the password I got from the password manager twice. So far, so good

hack

getCaller() hack

As developers, we should only call public APIs. However, the Java language cannot differentiate between public API and private stuff: as soon as a class and one of its method is public, we can reference the former and call the later. Therefore, we are exposed to the Dark Side of the Force, and sometimes tempted to use it. A good example of this terrible temptation is the sun.reflect.Reflection.getCaller(int) method. As its name implies, this evil piece returns which class called your current co