Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document. The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally.
When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url.
I believe this is a security risk because one is transferring from the local computer zone to an external zone.
I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability.
The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.
I don't think this is an issue. Being able to go in the opposite direction, that is execute script originating from a Remote zone to the local zone is called "Cross Zone Scripting". In fact the most recent 0-day against IE uses cross zone scripting to get remote code execution.
If you look at the restrictions for Adobe Air you can see that its less restrictive that the Same Origin Policy when it comes to accessing remote resources. I can not think of a scenario in which this would be valuable to an attacker. Especially when comparing to other locally run code, such as a executable written in C++.
Would this be useful? It seems to imply that when it blocks local content, the user gets a notification as such, but it sounds like it's just failing silently.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
In our application end users are provided with a textbox where they can paste their html or javascript code to create advertisement much like Google advertisement , so I need to validate these html and js source code against malicious code and also proper syntax .
So are there any API's available in java to do the same ?
Thanks in advance
Ali.
Validating JS client-side is only useful to your nice users - since malicious users can bypass any client-side validation code anyway (by messing with the JS that is supposed to do the validation).
Validating JS server-side to look for "maliciousness" is, in the general sense, impossible unless you have a very restrictive white-list to check against. It is better to execute things in a sandbox that protects against bad things, and avoid validation (= checking for validity in advance of execution) altogether.
So, JavaScript Sandboxes. The most used is probably Google Caja - also protects against bad html/css. Sandboxing is not easy - in particular, Caja needs a server-side part to "cajole" the files and protect the host page; and any parts of the host-page outside the cajoled div need to be identified up-front.
See also some alternatives from another SO question. Note that many of them do not allow DOM access from protected code, and therefore not useful for JS that actually has to show things on screen.
You can find a lot of sources on the Internet if you search it. Here are a few: Java Encoder Project and Java HTML Sanitizer. I've never used them, but it's a starting point. You can learn a lot if you do the research yourself.
Edit: It's unclear if you're looking for a Java API or a JavaScript API. They're quite different.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
As part of a small neighborhood scavenger hunt game I want to make some very simple html tables and hyperlinks available via the internet but I want to make sure the data isn’t viewable until a password is entered. The password isn’t for security but rather as a fun way to let the person know whether they have an answer to a question correct (The site won’t decrypt unless they answered a question correctly) At the same time I don’t want some clever kid to just view the page source and see the password in plane text somewhere in the page.
My idea is for the html file to contain a “blob” of previously encrypted data and some unencrypted JavaScript which can decode the encrypted blob when the correct “password” is entered. I want all the decryption to occur in the browser and the webserver will have no idea whether or not the correct password is entered. Is this even possible? If so, can someone give a high level process or point me to an example of how to do this? What JavaScript libraries should I use? Thanks in advance.
Yes, it is possible to do decryption in a browser. There are javascript libraries that can be used that will implement common crypto algorithms.
The challenge in a client-only encryption operation is that nothing in your Javascript code is a secret. Everything is known and available to anyone who wants to look. So, you can't securely store an encryption or decryption key in your Javascript. Without a secure key, all you'd really have is obscuration which is not to be confused with security. Obscuration just makes the code harder to read, but any determined hacker will eventually be able to figure out the content (it is not cryptographically secure).
Sometimes, obscuration can meet your needs by just raising the snooping bar high enough that it won't be worth the effort. But, it is very, very important to realize that obscuration is not real security. It's kind of like building the fence just a little higher, but the front door is still not locked. Any determined person will just climb over the higher fence and then they can walk right in the front door.
Without a doubt, the usual way to solve this is to involve a server in the operation and have the server check credentials and only offer questions or answers when the client has met the necessary conditions. Since the server can have secure storage, it can store answers or passwords or any other secrets and only reveal new content when appropriate conditions have been met by the client.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
A script has been appearing in the end of my tag. It was generated in ALL files.
This caused my site to be blocked as it was treated as malware. Please help!
I'm sorry, but this script isn't being automatically generated. You have been hacked, my friend.
This happened to one of my test web host accounts once, and with a bit of google-fu I learned that it's a fairly common result of the account having been hacked or otherwise compromised.
In my case, it was ads. In your case, it sounds like whomever got access to your site is using it to distribute some nasty stuff.
You should consult your web hosting company about what you should do and what they can do to help, but at the very least you should:
Take your site down immediately. Stop serving as a malware distribution hub. You're almost certainly losing more visitors by being on the naughty list than you are by having the site return 404s for a while.
Find the source of the intrusion and fix it so it doesn't happen again. Your most likely attack vector is a script/module/other component that bears a known exploit. Your web host may be able to help you here.
Change all of your account passwords associated with that website, including any shell, ftp, database, email, and anything else you have set up. Assume these passwords are in someone's list now.
For that matter, start using a password manager if you aren't already; that's probably what got you in trouble. Sharing passwords between sites is a good way to get owned.
Start looking for a backup that doesn't have the malicious script tag additions and restore to it.
Follow the links in the malware warnings to get your site off the lists once you've fixed the problem.
Good luck!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Compared to scripts within a page, what extra powers do addons/extensions have? They are essentially scripts, then what makes them so special? Beside being static, have buttons on the toolbar, and be able to see the locations of other tabs, what extra functionalities do they provide over scripts on a page?
Scripts on a website are generally sandboxed and are limited in what they can do (for security). In contrast, extensions can live outside of the sandbox and interact more with the browser and system. For example, some extensions can manipulate browser history, browser preferences, intercept and modify pages, access your clipboard, or even execute arbitrary code on the system. Taking a look at the Chrome extensions permissions warnings can give you a pretty good idea of what Chrome extensions can do (and which most scripts can't). Also check out the chrome.* APIs which extensions have access to.
It depends on the browser.
For example, in Firefox an extension can open a file on your filesystem, write arbitrary bytes to it, then run the file as an executable. Or put another way, it can do anything Firefox itself (or more generally, any program run by the user running Firefox) can do.
An extension is always around and theoretically works on every site (or on no site at all), while a script within a page only exists within that page. So unless you're talking about a VERY specific function/script only for a specific site, addons are more "available".
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
Does anyone know of any script injection scanners that are able to detect if your website has been compromised (i.e. javascript that has been injected that should just not be there)?
Update: found what I was looking for - http://sucuri.net/
It is difficult: you need to test every URL of your application and check if specific patterns are present in the reply (and it is very difficult to have a good algorithm which can understand which is good and bad javascript, or you need to configure this scanner which can be long and tricky).
There is a realtime open source solution called mod security on the server side. It is a web application firewall: it can detect specific patterns in requests and / or responses. It works on apache as a module. This is mainly a production solution, and does not detect injection during development. Furthermore, you need some experiences to tune it (what is good and wrong in the data exchanges with our clients) which can be tricky and does not protect against new attacks or more intelligent attacks (re-encoding characters for instance).
By the way, another solution is to use Content Security Policy but it is not available in all browsers (well, no one at the present time, wait for Firefox 4 ;-).
You can't.
Because a bad script will always be able to rewrite/neutralize your scanner function when it arrives on the browser.And your server doesn't have any control of what happens in your page anymore.
There is a simple way to protect your page from injection: place all the untrusted content using an iframe pointing on a different subdomain or port on your server.
You get the Same Origin Policy that sandbox the iframe and prevent the access to ressources of the parent page.
Then you may want to communicate safely between the iframes and the main page.If you target modern browsers or mobiles you can use window.postMessage to send string messages.
For older browsers, there are some tricks here is a blog post with a solution
This does not protect you against cross site scripting, but this is another issue you can solve with a secret token in the parent page.
The StopBadware group offers a free scanning service. Google and Mozilla rely on this service for their "this site may harm your computer" warnings.
The scanning service is available here:
http://www.stopbadware.org/home/reportsearch
Details on protecting your website are here:
http://www.stopbadware.org/home/security