Detect if Firebug is enabled and deny access

Firebug is an essential tool for every web developer. It allows to do many things such as script debugging, DOM manipulation etc. What happens though when it get’s to the hand of an experienced attacker? Then it could be used to exploit your site very easily!

How can you prevent that? Well, you can’t actually (or you can if you write secure code) because the source is already downloaded to the browser and anyone can do anything with that. But there is a way to make that process a little bit more trickier (attention: it’s still overridable but I won’t say how ☺).

Just put the following code in your page and try to active firebug’s console

$(window).load(function() {setInterval(chkh, 5000);});
function chkh() {
    if (window.console && window.console.firebug) {
            var path = window.location.pathname;
            if(path!='/DenyAccess.html')
                window.location = '/DenyAccess.html';
    }
}

What the above script does is that it checks every five (5) seconds and if Firebug’s console is enabled, redirects the user to a page that perhaps prompts the user to disable Firebug’s console or what ever you think. Checking if a variable is defined every five or ten seconds isn’t a heavy process so the overhead is not big.

Do you think the above code can prevent anything? Then use it wisely!

I ‘m saying again that this code checks only for Firebug’s console. Other tabs like HTML, Dom, Script are active and functional.

3 Comments

  • TechnoBits.net on said

    Reply
    




TechnoBits.net

    How are you prevent same thing in IE and Chrome. Any idea?

  • haliphax on said

    Reply
    




haliphax

    Ironically enough, this "fix" can be circumvented with FireBug.

  • Bryan Migliorisi on said

    Reply
    




Bryan Migliorisi

    This is perhaps some of the worst security advice I have ever seen in my life.
    $1
    $1Any "experienced attacker" will look at this and laugh because with any experience, someone can circumvent your security in seconds.

Add a Comment (gravatar-enabled)