HTML Injection And DIV's
Jan 20, 2010
I'm diong a little rummaging around for a nearby school who said they are having a bit of trobule with their digital library system. I was recommended and said I would take an initial look at the system. Mind you if you know about infosec than this is grey box testing.
THe application I'm focusing on is alexandria v5.5.67 which is a library management and interface tool. I've found a number of pretty serious XSS and even SQLinjection errors in their coding. I believe these are new and I've reproted them to Alexandria but the problem lies within me fixing this.
I was able to give a proof of concept test on URL piping commands with the python used to drive it and a proof of concept for the login system using their poorly coded perl. I'm having a bit of trouble and I'm a little new to this. I'm attempting to do a proof of concept on their main page using their search function. I've already exploited using a basic
What I"m trying to do is actually edit the elements of a div container on the page. I've never actually used DIV's with javascript or any scripting for that matter other than Server side includes in PHP, but thats not client side and I don't know much about Javascript. What I'm looking to do is change or alter the content of a particular div, its not necessarily a div but rather a class. I'm having trouble even using javscript URL commands to get the contents of a particular Div to display.
View 2 Replies
ADVERTISEMENT
Sep 4, 2010
So what happens is that I have a page that uses a Javascript tab navigation div, named 'Tabber', working perfectly. Basically it picks up HTML tags with a specific classname and after the page is loaded it creates a small portion of HTML to create the desired effect. The problem is that it only does it after the page is loaded, which I am fine with it, but before that, the contents of that same div (that come from a SQL query) are not formated and the page just breaks apart untill the document is fully loaded (my current workaround is an overflow:hidden but...it is still ugly to watch), and only then it adjusts itself due to the right CSS propreties.
Now, it would be great if I could just have a loading icon showing up inside the div while the page is not loaded, so I can manage to hide that Javascript HTML injection process.
View 1 Replies
View Related
Oct 28, 2006
I've read enough about email validation to know that the only real validation is having a user respond to a confirmation message you've sent them. However, I want to store the address temporarily, so I want to make sure what is entered is safe to work with.
I have a basic understanding of regexps, so I could write one that checks for a simple
format like: something followed by @ followed by something followed by
.. followed by something. I can also make a good guess at understanding
the regexps I come across in validation schemes people have posted.
However, each scheme that is posted seems to get criticized for
invalidating some esoteric, but valid, addresses.
I'm wondering if there is a minimum validation you can do that will
prevent basic attacks like sql injection attacks. For example, if I
weed out anything with single and double quotes, and semicolons, am I
barring some people unnecessarily? Seems like you'd be trying to mess
with people by putting a semicolon in your email address.
View 7 Replies
View Related
Jan 21, 2010
I've implemented jQuery within a web application where a very large number of DOM elements, comments in this case, are injected post-load by a 'Show all' button. Returned via JSON is a HTML string of <li> elements, to be injected into a pre-existing <ul> element. I'm looking to make this more efficient, as reading various sites I've been led to believe that wrapping new elements in a parent wrapper node before injecting would yield the best speed. Here, however, I'm injecting into an <ul> element that already has elements in, so can't wrap it.
What's the most efficient way of tackling this?
a) Wrap them in an element, inject, then unwrap and move into the target?
b) Clone the existing <ul>, add the elements in-memory and then replace in the DOM with the consolidated version
View 5 Replies
View Related
Dec 16, 2009
In Chrome, the login page on my schools educational online platform [URL] doesn't remember the login info. So i made a bookmark with this javascript injection, that fills in the info, and focusses on the 'aanmelden' button (='login' in dutch), so that i only have to press enter to continue. Here's the javascript injection:
Code:
javascript: document.getElementById('username').value='23889493984';document.getElementById('password').value='4 42384985';return false;document.getElementById('login').focus();
This works fine but i'd like to make it happen faster. I wish i could let the script be activated instantly when the page loads, so i only have to press enter, or if possible, let the script click the login button itself.
View 6 Replies
View Related
Aug 6, 2009
if i have a java interface on a website and that interface contains a box where a user enters a string and then submits it. If I wanted to rapidly submit strings from a list I had (in a text file say), how would I go about doing this?
I have looked at the source code for the interface but I don't really know java that well. There must be a way to "connect" to the interface and rapidly submit strings.
View 4 Replies
View Related
Jun 6, 2009
i want to ask that is it possible that using javascript injection the contents of a web page can be altered (add / edit / deleted) in Line of Code.Since, this has happened with me couple of times,talking to the support team at my hosting provider, they say that its due to the security holes in the Coding, but i think that its the security issue at the hosting side (since modifying the web pages code)i've found this code immediately after the opening of the body tagearlier the page snoofing for the above URL was working, but now its not producing the output. (so can not post whats inside it).My Another website (hosted by the same provider) is also infected. there the code immediately after the body tag is again the page snoofing yeilds no output with the error
View 6 Replies
View Related
Jun 19, 2009
The client we're building a site for recently had a server wide scan done by [UR] for PCI compliance. This was required by their banks commercial credit card service. The report came back with a "Possible blind sql injection" vulnerability warning level 4 out of 7 for the Superfish menu javascript. Anything 4 and above keeps them out of compliance. This file is for the Superfish menu. Is there a workaround for this potential issue?
View 4 Replies
View Related
Aug 25, 2010
I'm building a webpage using javascript and iframes. Basically I have an iframe in the middle of the index.html page that links to another html page (let's call it iframe.html). My question is, is it possible to call a javascript function from iframe.html to control an object on index.html? If so, how do I do this? I'd like to be able to assign an image in iframe.html with the hyperlink of href="javascript:function()", where the function effects the CSS of a div on index.html.
View 2 Replies
View Related
May 16, 2010
I have a web site which main page is index2.html I need a script that when I refresh the page it takes me to index3.html or index#.html in a random fashion. the list of index numbers is 10 so far.
index3
index4
index5
etc etc
View 2 Replies
View Related
Jul 16, 2010
I came across a very odd browser behavior when trying to modify a css class using javascript and at the same time having a base html statement in my html file.Without the base html statement, all browsers work fine and I can change the css class definition using javascript easily.With a base html statement, only FireFox still works while Internet Explorer and Google Chrome dont work anymore. If there is a cross-domain issue, while one browser does work and the others dont? An example of what I'm talking about, with the base statement:
http://freebsdcluster.org/~casaschi/tmp/example-base.html
Without the base statement:
http://freebsdcluster.org/~casaschi/tmp/example-nobase.html
how to tweak the code in the case with the base html statement in order for the javascript to work with all browser (modifying the class definition) ?I want to be able to manipulare css classes with javascript when a base html statement is in my html code.This is essentially the code:
<!--
-->
<base href='http://www.google.com'>
<style id='myStyle' type='text/css'>[code]....
View 10 Replies
View Related
Dec 28, 2010
It appears that .html() is somehow messing up reading the contents of a div.Here is my php code which loads into the div.
$own_pre_selection .= "<input name='" . mysql_result($result,$i,"did") . "' value='" . mysql_result($result,$i,"did") . "' type='hidden'><span class='addremove' onclick="recordchecks('" . mysql_result($result,$i,"dname") . "','" . mysql_result($result,$i,"did") . "')";><u>Remove</u></span> " . mysql_result($result,$i,"dname") . "<br>";
Here is what I see as source code after the page renders.
<input name='677' value='677' type='hidden'><span class='addremove' onclick="recordchecks('Heart Neoplasms','677')";><u>Remove</u></span> Heart Neoplasms<br><input name='1298' value='1298' type='hidden'><span class='addremove' onclick="recordchecks('Heart Septal Defects; Atrial','1298')";><u>Remove</u></span> Heart Septal Defects; Atrial<br></div>
When I test alert() the .html() contents it appears like this. It seems to screw up the quote escape and changes " to " ;="" after the recordchecks().[code]...
So even though the source code looks perfect, if I alert() the div contents with html() it seems to get a bit garbled in the process.
View 2 Replies
View Related
Feb 6, 2011
I would like to ask how do I get the value from a textbox from form.html which contains my iframe and copy the value into another page, test.html ?
View 2 Replies
View Related
Dec 28, 2010
I tried to load 1 html through ajax and javascript and it worked.But i want to load more than one and i cant.I thought that it would be a good idea to put the ajax files to the external websites and put the same load button.I tried this idea but it doesn work.I can only load one external website.
View 2 Replies
View Related
Jul 3, 2011
I have a file that generates web galleries in Adobe Lightroom. They are generated depending on which files are selected and the metadata in those files.
Basically it is a series of pages of thumbnails called index.html index_1.html index_2.html etc.
Then a set of pages for each individual image.
An example can be seen here: [url](the page navigation links are not great, but I have addressed that, they're at the bottom >> )
Currently if a user clicks on a photo there is a 'return to thumbnails button at the top, but this always takes them to /index.html
So the user could be at a picture after browsing to /index_39.html and still get returned to /index
Is there any way I can use history.go to find the last instance of index.html Or index_x.html (where x is any number) and take them back to that instead?
View 1 Replies
View Related
Jul 23, 2005
Is there a way to remove text portion from the HTML keeping the HTML
Tags using the browser, say javascript RegEx or something ?
I have seen lot of examples removing HTML tags to get the text but how
the reverse of it?
View 2 Replies
View Related
Jan 2, 2006
Im wondering if generating html objects such as tabels and rows in
javascript is faster than typing the html directly? Seems when you do
it in javascript you have to download alot of code and would slow down
displaying the page. while if you just type the html, it requires less
bandwidth and display faster?
is parsing html to display in browser slower than doing it through dom
to display the same html objects on the page?
View 1 Replies
View Related
Apr 20, 2011
.change() is only for form elements minus check boxes/radio buttons, etc.Are any of you aware of a script that does this already? Hopefully one that is easy to implement.I just want to monitor things like height, number of inner elements, or any change in the inner HTML.
View 1 Replies
View Related
Jan 18, 2011
I have been trying to get the html returned by a php script to display under a simple form.It only displays the first line. It's my fist stab at this so please forgive my ignorance.Here's the relevant code snippet:
$.ajax({
url: "form_submit.php",
type: "GET",
[code]....
View 1 Replies
View Related
Jul 28, 2011
I want to change the content of different div's using .html(). The change should be done by clicking on the inner element of the container. The content of the clicked container should be changed with the first container. My problem is, that the following code does the change, but only once. After every div has changed one time, no more reaction is shown.
<script type="text/javascript">
View 1 Replies
View Related
Aug 20, 2009
Via ajax, data equals <h1>Special</h1>
Code JavaScript:
function searchReplaceAndDisplay(data) {
data.replace('<','<');
data.replace('>','>');
$('#modal').append(data);
}
$.get('getSpecialsHtml.aspx', searchReplaceAndDisplay);
Right now #modal displays <h1>Special</h1>, as plain text.
How can I get #modal to display 'Special' marked up as an h1 element instead of text?
View 1 Replies
View Related
May 11, 2010
Just wondering - is there some trick that allows this to be done of which I am not aware? Specifically, I would like to use XPath to query the _current_ HTML document in IE.
View 2 Replies
View Related
May 1, 2010
html() with FFOX returns html with quotes (which is standards) but when used with IE (9) it returns html without quotes. class='myCLass' vs. class=myClass. This is a problem because I want to feed that html to the TCPDF jQuery plugin and the plugin wants 'good' html.
View 1 Replies
View Related
Jul 16, 2009
I need to get all the TABLE HTML code within the <body> tag for a content-generating application. I'm trying to use the html() method, but it only gets the inner HTML. I also tried clone(), but does the same thing. Or maybe I'm using it wrong.
Here's an example to clarify what I wanted to do:
Input
Output
jQuery Code
View 4 Replies
View Related
Feb 7, 2011
I have this normal HTML page, starts with <!DOCTYPE ...... and end with </html>, nothing special, what I need is to get every character from the beginning to the end.I've tried $("html").html(), but this cannot get the <!DOCTYPE line and also the <html> line, but only the codes inside the <html> tag, how can I get all ?
View 1 Replies
View Related
Jul 14, 2010
I would like to use JS to grab all images and make them links.
<img class="GrabMe" src="./X.jpg" alt="Alternate Text"/> into
<a rel="Image" href="./X.jpg" title="Alternate Text"><imgclass="GrabMe"src="./X.jpg" alt="Alternate Text"/> </a>
how to do this for every img.GrabMe? I really don't understand how to wrap a tag with another tag.
View 2 Replies
View Related
