AIUI, it was not all that long ago when the threat to personal users,
was attachments that when executed compromised machines with keyloggers,
trojans, etc.
Now it seems that the big problem is reading a webpage or an HTML e-mail
and getting affected through the scripting. My understanding is that
the script downloads the malicious program from the web and sets it to
run on start up through the start-up folder or in the registry.
I don't know much about this; can someone suggest a good web site to
start learning a bit more about these threats. I have googled, but I am
not quire sure of the best search terms, and since there is so much
information out there, a site that experienced people endorse would be a
lot of help.
In particular, it seems as if JavaScript dowloading a trojran without
the user clicking an attachment is a big problem.
So today I have discovered some malicious JavaScript code inserted into a bunch of my pages on a webserver. Access to these pages through FTP is granted to 3 people, myself, my boss, and a contract programmer. Unfortunately, the FTP server wasn't set to log, so I can't tell for sure if it was the programmer, but my assumption and suspicion is that it was him.
This code was inserted at the bottom of multiple pages. I can't make heads or tails of it, but it cannot be good, whatever it is. When I view the page that it was on, I noticed the web browser connecting to [url]. Browsing to this page takes you to some foreign hosting site. Googling superseasilver.ru only provides a page that has this address listed in a blacklist.
I have a website that allows users to enter complex mathematical formulas into a text field and evaluates them.
I am currently using eval() because it not only can handle all the standard mathematical functions, but also gives them access to the Math object. That way the users can use functions such as Math.max() and everything else.
I realize, though, that using eval is evil, I assume because a malicious user might throw in some more damaging javascript that would be run without checking it. (That's why eval is evil, right?)
Is there a way that I can allow my users to construct complex mathematical formulas and use the Math object (or an equivalent) without potentially opening my site up to harm?
Can a plugin stop some malicious scripts to be executed?
Say, i have my plugin installed in my browser. Can this plugin go through the html contet of the site and stop the execution of activeX, action scripts, flash, pdf anything like that?
I would like to know how to write javascript such that, a part of it isnt considered as script, & rather as HTML. Code:
Ok, the layer div can be written using document.write. But, Google ad itself is a javascript isnt it. How can it be written into this? How does this work?
This article was just published on [URL].. As I read it this is about a new twist to an old issue. (see excerpts below) 1 - I thought JavaScript was in a "sandbox" and prevented inappropriate access to the local machine. Is this no longer true?
2 - More to the point: Can or are any modifications to JavaScript be done by the JavaScript development team... who ever that is (Oracle?)... to fix what ever JavaScript vulnerabilities are being exploited?
3 - Are there other defenses for the client machine other than those mentioned in the excerpt below? (Turn off JavaScript in their browsers, etc.) 4 - If there is no vigorous response to this by the JavaScript development team how can we continue to create apps with JavaScript as such will encourage people to simply turn off java script in their browsers and that will encourage other web developers to simply not use JavaScript on their sites.
5 - Is Oracle the "owner" or "keeper" of javascript? I looked on the Oracle Forums and saw no forum for javascript. If not Oracle who is addressing issues like these?
Article Excerpts: More recently still, the spammers started embedding the JavaScript inside the HTML file (rather than as a simple file attachment), to spread the horrible Zeus banking Trojan.
"So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless," concludes Barracuda Labs' researcher, Dave Michmerhuizen. The only defenses against this sort of attack are either for it to be filtered at the gateway so it never reaches the user, or for the user to disable JavaScript in their browser. Security software on the PC might catch the exploit.End Excerpt.
I am working on a piece of code for an academic experiment and it puzzled me for days, any help?
I use javascript to sort a table in a html page. bascially, a user can click on any attributes and the javascript code will rank the contents of the table based on that attribute. This is done.
Now I want to record the click information into an access database. basically, wheneve the user click an attribute, I want to use asp code to insert the click information (userid, attribute_clicked) into an access database.
My current solution is use window.open in javascript and in the open function, I insert the url of the asp. something like this:
I have copied from a site a javascript code for my web site to create a pop up. This works fine on older versions of browser but not the most recent. Whilst I have been searching for some new code to replace the old code I have also learnt that the javascript will not always work as it may not be enabled.
Therefore does anyone have some code that I could copy that will work fine on all browser and if the javascript is not enabled.
I am looking at doing a asp.net web-page in VB code with java-script as well. I want to pull the information from the database(SQL server or Access) and then feed that information to my java-script code. Is that the way to do it or can you do Access or SQL in java-script pretty easy?
First part I'm banging my head against the wall on is about the amounts of the Amount fields along the right to automatically equal the PETTY CASH SUB-TOTAL field. So, the amount in this PETTY CASH SUB-TOTAL field comes up automatically. Also, I need to have the amount in the TOTAL AMOUNT field come up automatically as being the sum of the PETTY CASH SUB-TOTAL and the PER DIEM SUB-TOTAL fields. Please see the following as an HTML document to see what I'm talking about......
I need to add some javascript code block dynamically to a web page. I looked into the various postings at various groups but none seems to be solving my problem.
Among the approaches suggested first one is to create a script element and set its properties (src etc) and then adding this script element to the head element.
This works good for a dynamically including the files. But, in my case I do not have any files but generating the content dynamically which should be available to other javascript functions in the page. The script that I need to add dynmically is given Code:
Is an index page. I have javascripts to open up submenus. But tehre are quiter a lot of them, all simialr. Is there a way to unify all that javascript into a single function?
Should I code for users without javascript? I don't know of anybody who doesn't have javascript turned on, but I have seen stats that say users without javascript run as high as 10%. I went to music.yahoo.com, I saw that they didn't code for no-javascript users, leading me to believe the no-javascript is a highly rare group.
Can anyone give me the code or point me in the direction of a simple javascript certificate maker so that users can input there name and date so as to use on my site?
As we all know, JavaScript is client side and php is server side, (the php code is 'allowed' to do stuff on the server that JavaScript cannot). The problem with php is that it timeout after a while, (and the user also has no clue as to what is going on for a long time).
I need to run a script on the server that could take a very long time.
So what I was thinking is mixing both JavaScript and PHP Something like,
<script> var endvalue = 1000; /* some number that the server can calculate quickly */ var i = 0 while (i<=endvalue) { /** call a php file that will do some work somefunction.php?someNumber=i */ } </script>
That way the server does the work, while the client keeps it going. Ideally I would also get a return value/string from the php script.
I have seen quite a few code generators over time where you are presented with a form, you fill in the various fields in the forum, and then click a Generate Code button, and the results show up in a textarea.
The code is then copied from the textarea and pasted into notepad or directly into an HTML document.
So, you may have some code that you want to generate that looks like this:
In this particular case there is 1 .js files that go to the root of the site that requires no editing.
Then there is 1 .css file that may require changes depending on user preferences. Things like margin, width, height, border and so on.
Then there is a section that goes into the Head of the document that requires no changes.
Then there is something like this would go inside a division" <a href="address to a page" target="an iframe name"><img src="path to thumbnails/thumbnail name" border="1"></a> Note that the above code has variable that would change based on user preferences. The way the code is presently structured it is not done as an array, however, this would substantially shorten the code depending on how many thumbnails are in it.
And finally there is another iframe section that would go inside a couple of a division. It relates to a second iframe.
Before I go any further with this, I just wanted to know if it's possible to do with javascript or is it best to do in another language.
The variables don't have to be kept in a database. What I am thinking is that the user would simply open up the HTML page, enter the data, generate the code, copy/paste and test, without closing the page. If there is a problem, he/she would simply go back in and change a variable or 2 and re-generate the code.
I have some code, using all the DOM documentation in the developer.mozilla.org website. For some reason it's only working in the newest Firefox 2 versions, and not 1.5.0.x
I'm having a hard time finding any documentation of what's not supported.
Can you guys help me? Here are the functions I'm calling:
getRangeAt();
range.collapsed
document.createElement("div");
range.cloneContents();
element.appendChild(clone);
document.getElementById("divid");
do you think it's createElement div? Maybe I can't create a div element?
I'm trying to load an ASP recordset into a javascript array via an ASP array. The way I've been attempting to do it is by having ASP "Response.Write()" the javascript code that builds the javascript array. It ALMOST works :rolleyes:
The problem I'm having is that the ASP writes the different javascript lines as one long line (ie. no carriage returns). Therefore, the javascript lines are not recognized. When I take the source code and manually separate the lines produced...then when I run the modified source, it works fine. Code:
Q: I have a pretty big html page - about 1,500 lines of code, 1,000 of which is javascript. (It's also referencing other javascript code, perhaps another 2,000 lines or so).
When I boot up the page in a fresh browser, it invariably crashes; the page just hangs. But, after killing the browser, and opening it up in a new one, the page seems to run fine. Is there some sort of javascript code limit that a web page / browser can handle...? Anyone know if there's a way to get around this? [Did I misread the problem? I'm pretty sure my code is fine.] Code:
