javascript-injection

Attempted exploit?

为君一笑 提交于 2019-12-03 11:31:53
I saw that my nopCommerce site had a logged search for: ADw-script AD4-alert(202) ADw-/script AD4- I'm a bit curious though what they were trying to accomplish. I searched a bit for it and appearently the ADw-script AD4- encodes in UTF7 to <script> . But why the alert(202) ? Were they just checking for vulnerabilities? More hacking attemps was logged and I made a new question about them here: Hacking attempt, what were they trying to do and how can I check if they succeeded? Someone is checking if you have a UTF-7 injection vulnerability to exploit it later. UTF-7 uses only characters that are

Can't insert js programmatically if it uses document.write

旧时模样 提交于 2019-12-02 01:35:38
I am trying to insert js files programmatically, using jquery and something like this: var script = document.createElement( 'script' ); script.type = 'text/javascript'; script.src = 'http://someurl/test.js'; $('body').append(script); It works fine, if test.js contains an alert or some simple code it works fine, but if the file test.js contains document.write , and the file including the js is hosted on another domain than test.js (or localhost), nothing happens and firebug shows the error : A call to document.write() from an asynchronously-loaded external script was ignored. If the test.js and

handle javascript injection in asp.net mvc

|▌冷眼眸甩不掉的悲伤 提交于 2019-12-02 00:39:12
问题 How can we handle the javascript injection in asp.net mvc (C#) application? I can use Html.Encode in my View. But the problem is i have html also to show in the page like a blog post. I need to remove the script entered in the input elements of the application? How can i do that in a common place? 回答1: The "high-level" best practice for doing this is: Store user-input the way it was entered into the system HTML encode all user-input when it is output on any page Use a white-list approach to

Is there a known workaround for IE9's execution order of injected script tags?

给你一囗甜甜゛ 提交于 2019-12-01 09:10:30
I am sure I don't fully understand this problem, but it seems that we are seeing strange behavior on IE9 on my project, somehow related to out-of-order execution of JavaScript that has been injected via calls to document.write , e.g.: document.write('<scr'+'ipt type="text/javascript" src="'+file1+'"></src'+'ipt>'); document.write('<scr'+'ipt type="text/javascript" src="'+file2+'"></src'+'ipt>'); document.write('<scr'+'ipt type="text/javascript" src="'+file3+'"></src'+'ipt>'); My limited Google research suggests that IE9 will execute scripts injected in this manner in a different order from

“Refused to load the script” error in chrome extension

本秂侑毒 提交于 2019-11-30 18:46:46
问题 There are a lot of questions on SO similar to this one however none of them solved my purpose. I'm creating a 'pinterest' like chrome extension. It injects script on webpage, collect images and then post it somewhere. Everything is working perfectly however when i run this on pinterest itself, it gives me this error: Refused to load the script 'https://domain_name.com/my_script.js' because it violates the following Content Security Policy directive: "default-src 'self' https:// .pinterest.com

Preventing JavaScript Injections in a PHP Web Application

为君一笑 提交于 2019-11-30 08:57:11
What are the measures needed to prevent or to stop JavaScript injections from happening in a PHP Web application so that sensitive information is not given out (best-practices in PHP, HTML/XHTML and JavaScript)? Jeffrey Blake A good first step is applying the methods listed in the question Gert G linked . This covers in detail the variety of functions that can be used in different situations to cleanse input, including mysql_real_escape_string , htmlentities() , htmlspecialchars() , strip_tags() and addslashes() A better way, whenever possible, is to avoid inserting user input directly into

Injecting CSS into UIWebView using JavaScript

橙三吉。 提交于 2019-11-30 05:26:05
I am attempting to inject a local CSS file to override the styling of a webpage. The webpage is presented in a UIWebView container in iOS. However I am not able to get my code to work. See the snippet of my delegate method below. This code runs (I can see the NSLog message) but I do not see the results of it's execution on the page. I know it can't be the CSS I wrote because in this case I took the pages own CSS file and simply changed some colors. (In order to test this method) -(void)webViewDidFinishLoad:(UIWebView *)webView { NSString *path = [[NSBundle mainBundle] bundlePath]; NSString

Preventing JavaScript Injections in a PHP Web Application

筅森魡賤 提交于 2019-11-29 13:02:13
问题 What are the measures needed to prevent or to stop JavaScript injections from happening in a PHP Web application so that sensitive information is not given out (best-practices in PHP, HTML/XHTML and JavaScript)? 回答1: A good first step is applying the methods listed in the question Gert G linked. This covers in detail the variety of functions that can be used in different situations to cleanse input, including mysql_real_escape_string , htmlentities() , htmlspecialchars() , strip_tags() and

Injecting CSS into UIWebView using JavaScript

时光毁灭记忆、已成空白 提交于 2019-11-29 05:18:14
问题 I am attempting to inject a local CSS file to override the styling of a webpage. The webpage is presented in a UIWebView container in iOS. However I am not able to get my code to work. See the snippet of my delegate method below. This code runs (I can see the NSLog message) but I do not see the results of it's execution on the page. I know it can't be the CSS I wrote because in this case I took the pages own CSS file and simply changed some colors. (In order to test this method) -(void

JavaScript NoSQL Injection prevention in MongoDB

谁说我不能喝 提交于 2019-11-28 09:15:38
How can I prevent JavaScript NoSQL injections into MongoDB? I am working on a Node.js application and I am passing req.body , which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case. Note My answer is incorrect. Please refer to other answers. -- As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem. For details follow the documentation UPDATE Avoid expression like eval which can execute arbitrary JS. If