Does anyone know of any script injection scanners that are able to detect if your website has been compromised (i.e. javascript that has been injected that should just not be there)? Update: found what I was looking for - http://sucuri.net/ ...
I have an http window which opens a secure popup to submit a form to a third party web site. After the popup is closed, I would like to reload the opener so that it reflects the results of the form submission. Since the opener and the popup use different protocols (http and https), I can't do it in the straightforward way (window.opener...
It seems like the point of window.postMessage is to allow safe communication between windows/frames hosted on different domains, but it doesn't actually seem to allow that in Chrome. Here's the scenario: Embed an <iframe> (with a src on domain B*) in a page on domain A The <iframe> ends up being mostly a <script> tag, at the end of...
We recently had a website hacked, where some PHP code was injected into the index.php file that looked something like: eval (gzinflate(base64_decode('s127ezsS/...bA236UA1'))); The code was causing another php file (cnfg.php) to be included, which was causing some pharmaceutical-related spam to be displayed (but only visible to googleb...
Hi, I'm developing a JavaScript API service. Main html page looks like this: <html> <head> <script type="text/javascript" src="scripts/logic.js"></script> <script type="text/javascript" src="scripts/jquery-1..."></script> <script type="text/javascript" src="http://mydomain/api/main.js"></script> </head> ... </html> In t...
We're building an app, our first using Rails 3, and we're having to build I18n in from the outset. Being perfectionists, we want real typography to be used in our views: dashes, curled quotes, ellipses et al. This means in our locales/xx.yml files we have two choices: Use real UTF-8 characters inline. Should work, but hard to type, a...
Hello I'm using visual studio 2008 with asp.net mvc 2. I need anti xss library to santitize an input which is generated by rich text editor (lightweight RTE). I want to use AntiXss.GetSafeHtmlFragment(input); function. the problem is that VS 2008 crashes after I reference anti xss dll (it works fine in the first time but than it crashe...
It turns out the following which looks like valid javascript, is not: <html> <body> <script> json = {test: "</script><script>alert('hello');</script>"}; </script> </body> </html> The same text, when returned JSON via an ajax api works just as expected. However when rendered in-line results in a basic XSS issues. Given an arbitrar...
In the video below, at time marker 21:40, the Microsoft PDC presenter says it's important that all JSON be wrapped so it's not a top level array: http://www.microsoftpdc.com/2009/FT12 What is the risk of an unwrapped top level array? How should I check and see if I'm vulnerable? I purchase many components from 3rd parties and have ex...
Hi, I was unable to find a solution to the following problem: I want to display any website in an iframe and add elements (divs) to this iframe. Due to the cross-scripting prevention in the browser this seems to be not possible. Is there any way to do this? ...
Recently a client was concerned that their SWF was "insecure" because the XML path was coming from Flashvars. This seems to me to be something that isn't really a concern as the SWF is only displaying images / text and a few button links. I can understand how someone could path to the swf and add a remote XML path in to add javascript to...
and does it worth the efforts? ...
I am working on implementing a JavaScript web bug that will be inserted into our client's web pages. One of the features our clients would like, is a way to pass pieces of the HTML on their web pages to our server through the web bug. We are using JSONP and the server that is hosting the JavaScript web bug is different than the server ho...
Wikipedia provides information about one of the most common scenarios for exploiting a reflected cross site scripting attack - using some degree of social engineering to induce unsuspecting users to click a malicious link: Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with ...
Im just wondering, would the following be completely safe or would someone be able to get around it using hexadecimal characters, etc: $name = mysql_real_escape_string(htmlentities(stripslashes($_REQUEST['name']))); $query ="SELECT * FROM Games WHERE name LIKE '%{$name}%'"; Thanks. I know I can use PEAR and other libraries to make pr...
I made a website using the famous symfony framework. I wanted to add rich editing feature to it. And I found TinyMCE editor. But there comed a problem: how about the user embed some javascript code into the content? such as alert('hello world'). I tested wordpress, which is a very famous blog software. It faces the same problem. example...
Like a lot of developers, I want to make JavaScript served up by Server "A" talk to a web service on Server "B" but am stymied by the current incarnation of same origin policy. The most secure means of overcoming this (that I can find) is a server script that sits on Server "A" and acts as a proxy between it and "B". But if I want to dep...
I want to allow user contributed Javascript in areas of my website. Is this completely insane? Are there any Javascript sanitizer scripts or good regex patterns out there to scan for alerts, iframes, remote script includes and other malicious Javascript? Should this process be manually authorized (by a human checking the Javascript)...
Hi guys, I'm using Rails 3. I want to display generated html fragment inside erb template <%= "<div>Foo Bar</div>" %> Rails encodes div tags. If I'm correct in Rails 2 <%=h cause encoding. Seems that it was changed in Rails 3. How can insert html fragment without encoding in Rails 3? Regards, Alexey. ...
Is there a way I can grab an external lobby/game and then inject it into my div? The casinos give me just a link to work with I have tried Iframe and javascript resizing I need the casino lobbies/flash games to always be 542pxwide and 407px height but I'm having great difficulty getting them to resize. Can anyone help? A friend mentio...