How can I prevent injected JavaScript file reference code from running in my web page?
https://stackoverflow.com/questions/10294992
-
03-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I don't know if it's possible to prevent the injection of a JavaScript reference file script into a web page, but I have seen sites that prevent you from running functions within the injected JavaScript reference file script unless it's JavaScript the page registers. For example, I was able to inject 10 different JQuery scripts (with different versions) with different prefixes into Google Mail, but they do an excellent job of preventing you from executing certain JQuery commands. There are a few that you can do, but only getting data (not setting data).. like $jquery171('html').html() (which is simply viewing the source for a page) for example. How can I prevent other scripts from running in my web page like they do in Google Mail? Has anyone done this before?
Solution
The vulnerability you are talking about is known as Cross-site Scripting; XSS for short. OWASP's top ten project will also introduce you to other common attacks that you should be aware of as a web application developer.
To protect your own code against XSS, you must never print user-submitted data to the output HTML page as provided. You must encode the data in a context-dependent way, based on where in the HTML structure you are printing the userdata. Be aware that all data that does not come from your own program should be treated as untrusted - that includes HTTP headers, the URL, cookies, form POST data, and data from "outside" systems like databases.
See the XSS Prevention cheat sheet to get a good understanding of the basic principles of output encoding for HTML output.
Whether you think you are being malicious or not, what you doing against google is illegal. You are efefctively performing [partial] penetration testing to ascertain the vulnerability of their code to XSS. Whilst GMail may not mind this sort of thing too much -- they have to deal with malicious spam HTML emails, of course--, owners of some other websites most certainly do; People have been arrested and charged in the US for doing far less than what you have described.
Develop your own site to test against. You will not have permission to test the security of someone else's. Consider looking at projects like WebGoat and Gruyere to give you an environment that you are legally allowed to attack.
