Hack sbicapsec.com to run on Firefox

www.sbicapsec.com is State Bank of India’s online share trading portal. This is a good portal but their site’s code quality is amazingly of low quality, dare I say, crappy. SBI being a public sector government institute, we can rest assured that the code quality or bugs in it would not get fixed soon, if ever.

Anyway as of now if you try using this portal in Firefox or Chrome, then maybe you will endup with a screen like this.

sbicapsec.com after login in Firefox. Notice no applet running, instead we have weird “:10”.

Notice the weird “:10” character in the screenshot, instead of the Java Applet.

Fixing sbicapsec.com to run in Firefox

Don’t worry the “hack” here is not illegal. This is used merely as an expression for making things work the way you want it which requires a lot of technical trickery to get it right.

The following has been tested in Firefox 13 and 14 in Mac OSX and Windows XP. You are free to try this as you may want it though. Also this should work in Chrome too.

Now let’s get into fixing this in few simple steps:-

  1. For your sake, open this blog page in your Firefox browser.
  2. Install GreaseMonkey browser extension. You may need to restart your browser.
  3. Install my GreaseMonkey user script by clicking on the link here – AppVersion Patch for SBICAPSEC.
  4. Click on Install button in the dialog box that you get.

That is it! You should now get the applet after login.

Fixed sbicapsec.com, after login.

How the fix works (for the technically inclined)

This section is for geeks, who would like to know how the script works. Also it is better to understand this, so that you understand, there is no malicious code in my script.

What is wrong in sbicapsec.com’s site? (Root cause)

The portal’s JS code assumes that navigator.appVersion will always return a string which will have a semi-colon (;). In fact that is true for IE and Chrome (in Mac OSX version only), but not for others. After this failure everything goes down like dominoes.

The popup we get after login has a frameset with three frames. The second one is the one which is supposed to present the Java applet. The layout of that page is roughly as below:-

<body>
    ...
    <applet>
        <param>
        <param>
        <param>
        ...
    </applet>
</body>

It seems the devs there had a requirement to set the width and height of the applet based on user screen’s dimension. For this they modified the code to use JS to dynamically generate the upper applet tag.

<body>
    ...
    <script>
        // This script will generate the upper applet tag with appropriate width and height.
    </script>
        <param>
        <param>
        :10
        <param>
        ...
    </applet>
</body>

It is in the above script tag where it reads navigator.appVersion and tries to split it by ; and then read the other part. When that errors out, so does the code following it. That code is supposed to write the upper applet tag. So, at the end we are left with many param tags and a dangling </applet> tag. The weird :10 characters are written between two param tags.

From the way they have written the JS code, it seems the devs did not visualize the html page as a tree of blocks, instead for them it was a file stream; like the kind when you use your Java or C++ file output stream. The script block above uses document.write() to write the opening applet tag, instead of using JS to directly manipulate the DOM objects. I wonder how these devs can layout a page, who visualize it as a stream of characters? And, this is just a fraction of the real code, who knows what else is inside. It seems SBI needs to seriously train its devs. All this makes me loose faith over the security and reliability of their site.

Anyway, enough of the rant, back to the topic. The patch script I wrote will, simply try to do what there code was meant to do, add the applet tag. Because of the dangling applet end tag, I was unable to wrap my applet around the existing param tags. So, instead I detached all the param tags, emptied the parent (this reference was stored before detaching param), then added param tags inside the newly create applet tag and finally added the applet inside the previous parent of param tags.

I also tried using other techniques but they did not work. The first one was directly modifying navigator.appVersion to return a string with ;, but it seems you cannot modify them. The second options was to replace existing String.split() function with my own version. In my version I would always return an array of at least length two, so that the code does not error out. Anyway this too did not work out since GreaseMonkey scripts are ran after the page is executed. GreaseMonkey does provide an option to run our scripts at the beginning too, but according to docs that is not supported inside frames.

Anyway, all’s well that ends well. 🙂

Comments
27 Responses to “Hack sbicapsec.com to run on Firefox”
  1. Navdeep Singh says:

    Thanks man your a hero…lol

    going to try it. hope it works

  2. Navdeep Singh says:

    i confirm. its working just fine.

    oh 1 more thing if you use Latest Opera Browser X64 version. no need to install the script.

    • Gr8 to know and thanks for sharing the alternative. It is so unfortunate that such a big public sector bank cannot afford to develop a decent website and they want customers to switch to them. How pathetic.

  3. Radhika Shekhar says:

    Does any of this work from a tab ? I am trying to open sbicapsec from both Opera and Firefox browsers on my Android tab with no luck.

    • Well that is hard to say why without checking it myself, but Android browsers may reformat the webpage to fit it to screen. That might break it. Try this from native Android browser app after disabling Browser App > Setings > Advanced > Uncheck Auto-fit pages.

  4. gopal says:

    Thanks for the fix! The site works like a charm.

  5. Thanks a bunch!

    Upgraded my dad’s desktop to Windows 8 and underwent the most horrible two weeks of my life! Why I didn’t stumble upon your link earlier is quite a surprise. Thanks a lot though! Works like a charm!

  6. Suman J Pramanick says:

    I got upto “apple grew”,But the quatations I am not getting. any help??

  7. SHISHUPAL says:

    I did as per the instruction. Installed firefox & greaseMonkey & made it to work too.
    But the problem is Script screen is not showing any price quotes. What should I do?
    Message is PATCHING DONE MAKE SURE JAVA PLUGIN IS ENABLED.

  8. Sam says:

    This works like a charm..But I have a problem.. Two finger (Right) clicking on a scrips name in market watch does not bring up the menu that it should. I am hence unable to add any other scirps in market watch. Any ideas how to get that working?

  9. jitesh kumar thakur says:

    Dear sir

    I buy a laptop with windows8. Sbicapsec. trading platform’s menu show a Chinese language when we select them
    and in market watch scrip price does not show nor live activity.

    kindly suggest me

    Thanks

  10. Sujit Barua says:

    Thanks for your help. It is working now after waiting for 5 years… because SBICAP Shillong branch have maximum no of Dumbos… They does not know any thing about tech problem and showing every one that they are the master in all. Big prob. to handle them… Once I had complained and the reply came in Hindi ! what a jokes! I don’t understand Hindi… Any way thanks again for helping us …

    Regards

    Sujit

  11. This worked like a charm till about a few months back but hasn’t loaded since then.

    I use Windows 8 and the default IE doesn’t work well with SBICAPSEC either. Would appreciate any help in this regard.

    • Sorry, I can’t help you here. As I said it is a hack, so only if I can see how their code behaves in IE8 then only I can figure out any new hack. However, it is SBI’s job. Shame on them for not even carrying out even the basic test. As consumers please vote for them with your boot.

  12. Arun says:

    Hi,
    Does anyone here trading with SBICAPSEC using NOWONLINE sw of NSE(www.nowonline.in) for android phones..?I just downloaded the sw to my phone from Google market but I don’t find any ways to get the login credentials for NOW android application.
    Both the toll free customer helpline numbers of NSE as well as SBICAPSEC are not useful in getting the procedure.
    And even the SBICAPSEC customer support people are not aware of such a softwate/android app.

    Thanks in advance

    I raise this question here bcz in this blog we could see the SBICAPSEC users in abundance

  13. Arun says:

    Hi when i post a comment and close this page & open it again , it shows my mail ID in the window.. kindly rectify.

  14. Kumar says:

    I tried this on FF 20 in Ubuntu 10.4, the result is black box with “missing plugins” which are unable to get installed.

  15. anumon says:

    I use opera browser for sbicapsec trading. Just need to set site setting to “identify as ie or mask as ie”.

  16. anumon says:

    I want add one more thing use opera 12 not 15; on win 7 .

  17. ksh says:

    For using on mobile one can use sbicapsec lite version on dolphin browser on android. The lite version also works on chrome browser. Good for those who do not want live market tracking

  18. abhishek kumar says:

    how to trade now in android 4.2 jelly bean

Leave A Comment