So, I want to make a javascript bookmarklet that starts a prompt to type in a password. if the password is correct it will alert a secret message. I put together some code from my other bookmarklets, and made this:
javascript: prompt("Password?");if(12345) alert(Correct)
But alas, it doesn't work. The only javascript experience i have is tinkering a little with a bunch of bookmarklets so...
This will work for tinkering etc. It is not actually secure.
let password = prompt('Password?');
if (password === 'asdf') {
alert('correct');
}
W3schools has a good JavaScript intro series:
https://www.w3schools.com/js/default.asp
Related
So, when our web application is scanned for Veracode, I get many Cross-Site Scripting flaws,
"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"(CWE ID 80).
And, out of few flaws we have, I could not figure out how to fix this particular scenario.
Below is my piece of code -
$(".ui-dialog-buttonset .ui-button:visible").each(function(index, item) {
var label = $(item).text();
if (label == "Save" || label == "Create")
$(item).click();
});
I can see flaw reported on $(item).text(); and $(item).click(); lines.
I understand that, for text I can use something like DOMPurify.sanitize to clean the string.
But, I could not understand, why veracode is reporting for $(item).click();
Is it because the $(item) itself is not safe?
If yes then, how do I fix it?
I would greatly appreciate any help in this.
Okay, found fix from DOMPurify library.
You can sanitize DOM element too using DOMPurify.
So, below code works -
item = DOMPurify.sanitize(item, {SAFE_FOR_JQUERY:true});
I found hundreds of cloned versions of my website.
Whoever is doing that are using some code that clones my web pages, changes my website name mydomain.com to clone1.com, clone2.com, clone3.com etc and this makes it impossible to use a simple JS or PHP to check if the header URL is = to mysite.com then redirect.
It also does not work using the .htaccess
For this reason I have created this code:
<script type="text/javascript">
if (window.location.href== "http://clone1.com/cat1/{{{ $title->id }}}-{{ (Str::slug($title->title)) }}/cat2/{{ $se->n }}/cat3/{{ $episode->ep_n }}")
{
window.location.href = 'http://google.com/';
}
</script>
This script completes its purpose but is too long and is also very restrictive because it must contain the exact URL.
I'm looking to do this:
<script type="text/javascript">
if (window.location.href== "http://
//contains this part in its URL
clone1.com , clone2.com , clone3.com , clone4....
}}")
{
window.location.href = 'http://google.com/';
}
</script>
How can I create a global JS (JavaScript), that would detect if the current page is not on my domain and then redirect the reader to my domain and the same page?
Many thanks
1. Best Solution - Early Detection
Depending on your main traffic source, it is possible to detect who is scrapping you and block them based on their IP, Headers, number of page views and other data, using PHP & HTACCESS.
I really like this answer on the StackOverflow, that discusses almost all the options available for early detection.
How to detect fake users ( crawlers ) and cURL
2. Plugins & Extensions for Open Source Content Management Systems
Wordpress
If using Wordpress CMS, you can try some plugins, like WordFence, that can detect and block fake Google Crawlers, block based on the number of page views etc.
Other CMS
If you can't find a similar solution for your CMS of choice, consider to ask a community for a help with creating the solution like that, as I believe many people could benefit from it.
3. Solution for already stolen content with JavaScript
Sometimes the easiest road to hide something in JS, is to actually HIDE something by OBFUSCATING and by hiding in multiple important files. For example, obfuscate some important file on your website without which the website just wouldn't work properly.
For example, put an obfuscated version of the code below somewhere in JS file in the header, Obfuscate this code using any free services online or download your own library on Github:
Non-Obfuscated:
w='mysite.com'; // Current URL e.g. 'mysite.com/category1/page2/'
function check_origin(){
var check = 587;
if(window.location.hostname != w){
window.location.href = w;
}
return check;
}
var check = check_origin();
Obfuscated example:
var _0x303e=["\x6D\x79\x73\x69\x74\x65\x2E\x63\x6F\x6D","\x68\x6F\x73\x74\x6E\x61\x6D\x65","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x72\x65\x66"];w= _0x303e[0];function check_origin(){var check=587;if(window[_0x303e[2]][_0x303e[1]]!= w){window[_0x303e[2]][_0x303e[3]]= w};return check}var check=check_origin()
Now put an additional code in some Footer JS File, to verify the code above wasn't modified in any way:
Non-Obfuscated example:
if(w!=='mysite.com'||check == false || typeof check == 'undefined' || check !== 587 ){
window.location.href = 'mysite.com';
}
Obfuscated:
var _0x92bb=["\x6D\x79\x73\x69\x74\x65\x2E\x63\x6F\x6D","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];if(w!== _0x92bb[0]|| check== false|| typeof check== _0x92bb[1]|| check!== 587){window[_0x92bb[3]][_0x92bb[2]]= _0x92bb[0]}
I have used free online service from Google's search results for the term "Free Online JS Obfuscator:
https://javascriptobfuscator.com/Javascript-Obfuscator.aspx
4. Fight thieves with available methods e.g. Request a Ban from Search Engines – The Digital Millennium Copyright Act of 1998
Here is a blog-post that describes what to do when someone is stealing your content.
https://lorelle.wordpress.com/2006/04/10/what-do-you-do-when-someone-steals-your-content/
You can investigate who is doing that and report them to their partners, search engines, advertisers - to disrupt their business.
Depending on their country of origin and yours, it is maybe even possible to sue them and win.
why not check if hostname is your ?
if(window.location.hostname != 'mysite.com'){
window.location.href = 'http://google.com/';
}
In a Mac mail rule, I am trying to run a javascript instead of an applescript. This has been asked in Mail Rules using JavaScript for Automation instead of AppleScript but the answer is not working for me!
I have tried to simplify the code as much as I can. So, the following applescript works fine:
on perform mail action with messages theMessages
say "running!"
end perform mail action with messages
but the equivalent javascript is not working.
function performMailActionWithMessages(messages) {
app = Application.currentApplication()
app.includeStandardAdditions = true
app.say ("running")
}
Edit
Here are my rule parameters
I do it without getting app. Try something like…
// ObjC.import('Cocoa')
ObjC.import('stdlib')
var program="/usr/bin/say"
function performMailActionWithMessages(messages) {
say("running")
}
function say(what){
var command = program + " '"+what+"'"
console.log(command)
$.system(command)
}
I’m not sure you need cocoa. You probably need stdlib.
I have been trying to create a bookmarklet to run quick javascript, and am having trouble doing so. I have tried
javascript:var runjs = prompt("Enter JS:");function runjs() {runjs};
it seems you want to do the following
javascript:eval(prompt("Enter JS:"));
this will evaluate (run) the code entered in the prompt
as per comment
javascript:try{eval(prompt("Enter JS:"));}catch(e){alert(e);}
this will catch most? errors
Facebook application, how to check if inside Facebook canvas / standalone using PHP?
This question is an exact duplicate of above question, but the solution for above methods doesn't seem to work now, any updates? and regarding the HTTP_REFERRER header, i found some problems inside Firefox. Any other hacks?
Being passed a valid signed_request might be one way to test this...
Only your application with its APP_SECRET will be able to decode that signed_request so it is un-likely that someone would be able to spoof a valid signed_request; If they are able to do that - then they have pretty much bypassed Facebook security.
If they managed to do that, then maybe they deserve to be able to use your application outside of Facebook ;)
I just do this ($this <--- is a facebook sdk object):
$this->signedRequest = $this->getSignedRequest();
if(!$this->signedRequest){
show_404();
}
Try this:
public static function referrerIsFacebookCanvasApp() {
if (stripos($_SERVER['HTTP_REFERER'], "apps.facebook.com") === false || strpos($_SERVER['HTTP_REFERER'], "facebook.com/l.php?u=") !== false) {
return false;
}
return true;
}