Website script injection scan [closed] - javascript

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
Does anyone know of any script injection scanners that are able to detect if your website has been compromised (i.e. javascript that has been injected that should just not be there)?
Update: found what I was looking for - http://sucuri.net/

It is difficult: you need to test every URL of your application and check if specific patterns are present in the reply (and it is very difficult to have a good algorithm which can understand which is good and bad javascript, or you need to configure this scanner which can be long and tricky).
There is a realtime open source solution called mod security on the server side. It is a web application firewall: it can detect specific patterns in requests and / or responses. It works on apache as a module. This is mainly a production solution, and does not detect injection during development. Furthermore, you need some experiences to tune it (what is good and wrong in the data exchanges with our clients) which can be tricky and does not protect against new attacks or more intelligent attacks (re-encoding characters for instance).
By the way, another solution is to use Content Security Policy but it is not available in all browsers (well, no one at the present time, wait for Firefox 4 ;-).

You can't.
Because a bad script will always be able to rewrite/neutralize your scanner function when it arrives on the browser.And your server doesn't have any control of what happens in your page anymore.
There is a simple way to protect your page from injection: place all the untrusted content using an iframe pointing on a different subdomain or port on your server.
You get the Same Origin Policy that sandbox the iframe and prevent the access to ressources of the parent page.
Then you may want to communicate safely between the iframes and the main page.If you target modern browsers or mobiles you can use window.postMessage to send string messages.
For older browsers, there are some tricks here is a blog post with a solution
This does not protect you against cross site scripting, but this is another issue you can solve with a secret token in the parent page.

The StopBadware group offers a free scanning service. Google and Mozilla rely on this service for their "this site may harm your computer" warnings.
The scanning service is available here:
http://www.stopbadware.org/home/reportsearch
Details on protecting your website are here:
http://www.stopbadware.org/home/security

Related

How to validate javascript and html code? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
In our application end users are provided with a textbox where they can paste their html or javascript code to create advertisement much like Google advertisement , so I need to validate these html and js source code against malicious code and also proper syntax .
So are there any API's available in java to do the same ?
Thanks in advance
Ali.
Validating JS client-side is only useful to your nice users - since malicious users can bypass any client-side validation code anyway (by messing with the JS that is supposed to do the validation).
Validating JS server-side to look for "maliciousness" is, in the general sense, impossible unless you have a very restrictive white-list to check against. It is better to execute things in a sandbox that protects against bad things, and avoid validation (= checking for validity in advance of execution) altogether.
So, JavaScript Sandboxes. The most used is probably Google Caja - also protects against bad html/css. Sandboxing is not easy - in particular, Caja needs a server-side part to "cajole" the files and protect the host page; and any parts of the host-page outside the cajoled div need to be identified up-front.
See also some alternatives from another SO question. Note that many of them do not allow DOM access from protected code, and therefore not useful for JS that actually has to show things on screen.
You can find a lot of sources on the Internet if you search it. Here are a few: Java Encoder Project and Java HTML Sanitizer. I've never used them, but it's a starting point. You can learn a lot if you do the research yourself.
Edit: It's unclear if you're looking for a Java API or a JavaScript API. They're quite different.

Script automatically generated in my <head> tag [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
A script has been appearing in the end of my tag. It was generated in ALL files.
This caused my site to be blocked as it was treated as malware. Please help!
I'm sorry, but this script isn't being automatically generated. You have been hacked, my friend.
This happened to one of my test web host accounts once, and with a bit of google-fu I learned that it's a fairly common result of the account having been hacked or otherwise compromised.
In my case, it was ads. In your case, it sounds like whomever got access to your site is using it to distribute some nasty stuff.
You should consult your web hosting company about what you should do and what they can do to help, but at the very least you should:
Take your site down immediately. Stop serving as a malware distribution hub. You're almost certainly losing more visitors by being on the naughty list than you are by having the site return 404s for a while.
Find the source of the intrusion and fix it so it doesn't happen again. Your most likely attack vector is a script/module/other component that bears a known exploit. Your web host may be able to help you here.
Change all of your account passwords associated with that website, including any shell, ftp, database, email, and anything else you have set up. Assume these passwords are in someone's list now.
For that matter, start using a password manager if you aren't already; that's probably what got you in trouble. Sharing passwords between sites is a good way to get owned.
Start looking for a backup that doesn't have the malicious script tag additions and restore to it.
Follow the links in the malware warnings to get your site off the lists once you've fixed the problem.
Good luck!

Is it ok to split a web site in two portion? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I am developing a social network. This network requires its content easily readable by google. At the same time, i want to give perfect user experience with fully ajax support. As you know ajax and google not good friends(as far as i know). I tought a solution that split web site in to 2 pieces of views on a same URL(for all sites URLs):
Authenticated users.
UnAuthenticated users.
As you expect Authenticated users will get fully ajax support and excellent user experience. And when google's bots come to me social network as a UnAuthenticated user it easily can read all the content(of course no ajax any more).
On the other hand, I know that there is a technic called Hijaxing. But it seems hard to implement for all site.
I am gonna use
1. Asp.net mvc 3,
2. jQuery
What you think, what should i do? Thank you :)
It is possible to make AJAX content crawlable by Google. See here for how to do it.
My recommendation is to create a Google friendly home page (non authenticated users) and once a user is loged in, you can use all ajax-javascript you want.
Don't worry about the private sections (google bots can not enter there), but for public sections you'll need to take care of writing unobtrusive JavaScript (jQuery helps a lot on this). Try to open the page with JavaScript disabled in your browser, if you can read the important keywords, google will do as well.
Also, Google bots can point to #hashed urls. Google Ajax Crawling gives you more information on this.
Good luck, your "social network" will be a very very complex project. Much more than you can imagine.
Google has a guide that you can use to expose your AJAX content to its crawlers. You can find it here : http://code.google.com/web/ajaxcrawling/docs/getting-started.html
Ideally, you'd be making a fully functional site that doesn't require AJAX to work. But this may not always be possible or desired with modern web applications.
Also, I'd assume that Authenticated and Unauthenticated users would have a different experience in any case? If yours is a social network, most of your content would be behind a privacy wall (unless it's mostly open). If it's all open, I'd suggest that you use those guidelines to expose the content rather than building two sites.

Is it possible to interact with Gmail using AJAX (Javascript)? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I would like to build my own interface for gmail, by programatically interacting with the actual Gmail service and pipe all requests on my service to gmail itself.
The user would have to login to his or her gmail account, after which my app needs to be able to interact with the gmail service.
Is there an API available for Javascript that would allow me to do this?
Any other related feedback is appreciated as well. Thanks.
Update: one site that might have done what I am trying to do would be otherinbox.com, unless they proxy all e-mail through their own servers (this is something I do not wish to do, as I want people to interact with gmail directly through a Javascript API).
If you can do everything you want as a browser plugin on top of Gmail, by monitoring and observing what goes on, you might want to take a look at this. It won't quite do what you're asking for, but it gets you somewhere along the path.
Gmailr
Unfortunately, you're probably going to need a server. Even if you could work around the cross-domain issues, Gmail's interface is basically built dynamically with JavaScript when the page loads. So the JavaScript function names will be changing on you literally all the time.
Just about everybody doing anything like what you're describing (we provide an alternative interface to Gmail as well at emailga) has gone this route. I know the OtherInbox guys as well, and they have a server component that uses the IMAP interface to do most of their magic.
i think you need to create a custom mail server which can connect to gmail via pop3 or imap or smtp.
on the other hand i am sure that ajax requests cannot be cross domain requests, but the php can do this. so you must need a php file wich access to the gmail through pop3|imap|smtp or ajax. but only javascript cant do that.
Please look at Gmail API.
I think you can work with it, although, I haven't investigated it in depth.
hope it helps.

Looking for resources to explain a security risk [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document. The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally.
When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url.
I believe this is a security risk because one is transferring from the local computer zone to an external zone.
I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability.
The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.
I don't think this is an issue. Being able to go in the opposite direction, that is execute script originating from a Remote zone to the local zone is called "Cross Zone Scripting". In fact the most recent 0-day against IE uses cross zone scripting to get remote code execution.
If you look at the restrictions for Adobe Air you can see that its less restrictive that the Same Origin Policy when it comes to accessing remote resources. I can not think of a scenario in which this would be valuable to an attacker. Especially when comparing to other locally run code, such as a executable written in C++.
Would this be useful? It seems to imply that when it blocks local content, the user gets a notification as such, but it sounds like it's just failing silently.

Categories

Resources