When a website expects more than javascript, what else might it be requiring ?

5 replies [Last post]
amenex
Offline
Joined: 01/04/2015

My Abrowser works great for just about every website I visit, but my
healthcare provider's new portal is not opening for me, even with
javascript enabled.

I've captured the sourcecode for the portal, with its many javascript
links, but I haven't a clue what to look for in that list versus the
Abrowser options.

When I type about:config into the address bar of Abrowser, a very long
list of configuration options appears, and I can see that javascript
is enabled ... but just guessing seems like a rather inefficient way
of going about solving the puzzle and picking what else also needs to be
enabled ... short of running upstairs and using my missus' W10 laptop.

The website's Help Desk says, "we only do windows."

George Langford

loldier
Offline
Joined: 02/17/2016

Third party Javascript sites may interfere if blocked.

Care to be to be more specific as to the web site? A public portal or behind authentication?

onpon4
Online
Joined: 05/30/2012

> The website's Help Desk says, "we only do windows."

Then don't use it.

Call them every time you need information from them, and explain when you call that you can't use their Web interface because it doesn't work on Trisquel. Eventually, someone in charge will notice that this ridiculous policy is causing them inconvenience by having to waste a worker's time doing something that you would be perfectly willing to do yourself through a Web interface.

amenex
Offline
Joined: 01/04/2015

The website uses the ASP server-side programming language, which
requires a Microsoft server, and the sourcecode of the website
expects Internet Explorer (IE 11).

I tried enabling both javascript and external javascript handling,
but the page load still won't get farther than the colorful
background. Afterwards, I disabled external javascript handling,
of course.

There are other "features" of javascript that are still turned off
by default:

javascript.options.asyncstack;false
javascript.options.discardSystemSource;false
javascript.options.dump_stack_on_debuggee_would_run;false
javascript.options.mem.log;false
javascript.options.mem.notify;false
javascript.options.shared_memory;false
javascript.options.streams;false
javascript.options.strict;false
javascript.options.throw_on_asmjs_validation_failure;false
javascript.options.throw_on_debuggee_would_run;false

I found some clues to the problem here:
https://www.makeuseof.com/answers/view-aspbased-website-android-phone/

But Abrowser doesn't appear to give any choice for user agents
in the about:config page

Mozilla has the right approach for this website's developer (Epic
Systems Corp.) to adopt:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent

George Langford

ADFENO
Offline
Joined: 12/31/2012

2018-03-11T15:25:07+0100 name at domain wrote:
> The website uses the ASP server-side programming language, which
> requires a Microsoft server, and the sourcecode of the website
> expects Internet Explorer (IE 11).

That seems to be an issue in development practices, I also see other
websites that are programmed in ASP server-side language. I do want to
point out that, as far as I know, the language they use server-side
shouldn't impose problems for us. So it's really the developer human
being in the chair who is causing this issue.

So please contact the website owners and also the developers and suggest
them to change this behavior. You can use the Action items ([1])
LibrePlanet wiki page to ask other people to do the same for the same
website, so it would not be "just you/one" person complaining.

[1] https://libreplanet.org/wiki/Action_items .

--
- Formas de contato: https://libreplanet.org/wiki/User:Adfeno#vCard

- Ativista do /software/ livre (não confundir com gratuito). Avaliador
da liberdade de /software/ e de /sites/.

- Membro do LibrePlanet Brasil:
https://libreplanet.org/wiki/Group:LibrePlanet_Brasil

- Comunicações sociais federadas padronizadas, onde o "social"
permanece independente do fornecedor.

- #DeleteWhatsApp. Use o pai dele, #XMPP, federado e com padrão
internacional: https://libreplanet.org/wiki/XMPP.pt

- #DeleteFacebook #DeleteInstagram #DeleteTwitter #DeleteYouTube. Use
redes sociais federadas que suportam #ActivityPub, padrão
internacional, como a rede Mastodon: https://joinmastodon.org/

- #DeleteNetflix #CancelNetflix. Evite #DRM:
https://www.defectivebydesign.org/

- Quer enviar arquivos para mim? Veja:
https://libreplanet.org/wiki/User:Adfeno#Arquivos

- Quer doar para mim, ou me contratar? Veja:
https://libreplanet.org/wiki/User:Adfeno#Suporte

- Minhas contribuições:
https://libreplanet.org/wiki/User:Adfeno#Contributions

strypey
Offline
Joined: 05/14/2015

amenex wrote:
"The website uses the ASP server-side programming language, which requires a Microsoft server, and the sourcecode of the website expects Internet Explorer (IE 11)."

I suggest finding out a bit more about what versions of Windows and ASP the website is running on, and what known vulnerabilities haven't been patched in those versions. I'd be very surprised if you can't find some genuine security risks in a website optimized for a browser released in 2013, based on a proprietary scripting language created by 1990s Microsoft.

Come up with a few examples of how your Blackhat Evil Twin could use those vulnerabilities to catastrophically mess with your health provider. 3-5 examples should do, including things like using the website to tunnel into the internal network and copy the client database, or hijacking the Windows server to send trojans to every email address in the database, disguised as password reset requests.

Send that information to the risk assessment department of the insurance company that insures your health provider, with a copy cc'd to their IT department. Tell the insurance company that the best way to permanently fix these vulnerabilities is to migrate the website to a modern infrastructure, which supports web standards in a vendor-neutral fashion. Let the inherently risk-averse nature of the insurance industry do the pestering for you.

Optional step:
If they show no signs of taking action, post your research here, with a strict warning that nobody should even think about posting the info anonymously on 4Chan. Yes, I've been watching too much Mr Robot ;)