Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I want to detect using vanilla javascript if the end-user has any webextensions enabled at all. Is there a way to query for a list of browser enabled webextensions? Hopefully there is another way besides checking for injected scripts, css and image tags that the page was never intended to load.
This question was shut down for not entering enough security reasons. I can understand why that's a concern but it is not a reason to burn a technical question. Regardless, here are security reasons to want to eliminate web-extensions from a website:
web-extensions allow people to break CSP
https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden
scrape your business data, install key loggers to harvest passwords and other information, install image tracking beacons to track private and sensitive end-user information - all unbeknownst to your average end-user.
In addition, deliberate or self-made web-extensions can automate scraping your business data, attempt to spoof captcha logins and other malicious purposes.
some way is
you can check number of script tag that document has (also css)
then if there were more than your resource
user use extension
... some extension does not add script or css
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I know I could utilize client-side storage, cookies, WebSQL to make an app independent of the internet if the tablet/phone went offline for a bit. But at the end of the day if the user refreshes the browser, the site will try to load the HTML/CSS/JS and it's going to fail to load. I haven't been keeping up on HTML5 enhancements in the last year so I'm wondering if something like this exists. For instance specifically telling the browser to cache the static assets and use them again upon reload unless newer versions exist.
NOTE: I'm only interested in how to allow the page to go through a reload with the site offline if such thing exists.
I believe that #NickZuber has answer my question with his link. The thing I was looking for is
Application Cache
Works on most (90%+) modern browsers Best suited for storing
application code
The only option to reliably load a website from nothing offline
Can storage a significant amount of data (50mb+)
Very difficult use without causing unintended consequences for most
websites
Here is a working example of it in action. You can essentially turn off your internet, hit refresh on the browser, close the browser and re-open it. Whatever you want and the app loads up just fine complete with Images, CSS Styles, and Javascript.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
One of my websites has recently, and is (ongoing) continuously, under attack. A JavaScript script is being inserted into the MySQL database somehow.
I am using the following:
$unsafe_variable = addslashes(htmlspecialchars(strip_tags(mysql_real_escape_string($_POST['user_input']))));
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
However, the hacker is still able to insert a "script" tag. I have no idea how. I have a word filter and blacklisted the word "script", which gets blocked when I post a test to the site. How is he/she able to get it through?
The above is a screenshot of the entry into the database. Anyone have any ideas on how I can prevent this?
For a start, JavaScript is code that a user can actually edit using DOM tools (like inspect element) and should never be used as a mechanism to security with Databases.
You should firstly start to research about prepare statements in PDO if you're using un-trusted user input; the bind paramtter in the PDO interface automatically strips the HTML content out of the input.
You can also look at the preg_replace function inside of PHP. This can be used to do more unique and to-the-point strips and allows functionality like BB Code.
There are plenty of resources on stack over-flow which cover the security issues raised in this question and certainly solve each layer attack.
Source 1
Source 2
Also note, the attack you're specifying is an XSS attack used to inject malicious JavaScript code. If you want to allow this code, never directly insert it to a global page (ie: comments that multiple users can see). Only allow the single user to view the code they put in. Otherwise, view the above sources for further information.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Certainly I'm not the first one to think of this problem. However, the fact that I couldn't find any articles on this issue (let alone any solutions) fosters my suspicions that there is no canonical solution to this problem:
Let's say I have a trusted web-server that serves a web page using HTTPS and the web page loads some third-party libraries from a third-party web-server (such as a CDN, or similar). Now, in principle, there is nothing that stops the CDN from serving some malicious javascript. This is a problem, except, of course, if I could verify the authenticity of JavaScript-Files served from the third-party servers using cryptographic signatures.
Given that I can dynamically load js-files and there exist crypto-libraries nowadays this should be possible. Or am I overseeing something? Are there existing javascript-Libraries that tackle this problem?
Potentially, yes, you can create the signatures yourself at certain point of time, store them on your server, and when your web page is loaded, you can stream the JS files, calculate their signatures, validate them and then ask the browser to use the JS files, if they are valid.
The problem is that if the third-party author updates the library, then your scheme will stop working until you validate the new code and update the signatures on your server.
Also the necessity to load crypto library from your site will often negate the benefit of using CDNs for other scripts.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Compared to scripts within a page, what extra powers do addons/extensions have? They are essentially scripts, then what makes them so special? Beside being static, have buttons on the toolbar, and be able to see the locations of other tabs, what extra functionalities do they provide over scripts on a page?
Scripts on a website are generally sandboxed and are limited in what they can do (for security). In contrast, extensions can live outside of the sandbox and interact more with the browser and system. For example, some extensions can manipulate browser history, browser preferences, intercept and modify pages, access your clipboard, or even execute arbitrary code on the system. Taking a look at the Chrome extensions permissions warnings can give you a pretty good idea of what Chrome extensions can do (and which most scripts can't). Also check out the chrome.* APIs which extensions have access to.
It depends on the browser.
For example, in Firefox an extension can open a file on your filesystem, write arbitrary bytes to it, then run the file as an executable. Or put another way, it can do anything Firefox itself (or more generally, any program run by the user running Firefox) can do.
An extension is always around and theoretically works on every site (or on no site at all), while a script within a page only exists within that page. So unless you're talking about a VERY specific function/script only for a specific site, addons are more "available".
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
Doesn't using Google CDN for jquery break the rule of not using cross domain requests on the webpage. Do we trust Google enough to do this?
The use of script tags from a foreign website are allowed within the browser itself. Because it is presumed that you intend to load this functionality. The scripts loaded are not able to communicate directly with the foreign domain though (XHR same-origin, except with CORS). Now, this is precisely why you don't want to allow for un-checked user input that could load a script from a foreign site. It is possible for a foreign script to do things you don't want, but if it is from a trusted source, it should be fine.
If google was caught to be using an injection via their CDN, there would be severe backlash, and I doubt it would ever happen, and if it did, would be corrected far more quickly than you would even notice the issue.
No, it doesn't break the rules of cross domain requests. When you include jQuery from Google's CDN, you are simply including a resource into your page (much like linking to an image). This does not fall into the Same Origin Policy security concept to which I assume you refer, which mostly encompasses XHR (ajax) requests.