What is javascript injection? and how it could be use in Software testing?
https://stackoverflow.com/questions/9987248
-
28-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
I don't have any idea regarding javascript injection. Is it similar to SQL Injection?
And how to use javascript injection in software Testing?
Soluzione
JS injection is running javascript from the client-side invoked by the client. You can do it in a browser or in console like in chrome. In testing it can be helpful because you can interact with live web apps without having to rewrite, recompile, and retest. It can also be quite useful in hacking by altering webpages while you are on them, i.e. making a weak password validation script always return true granting you logon access. In chrome, press ctrl+shift+j and go to console. There you can play around with some javascript and see how it is for yourself. Other browsers use the url bar like:
javascript:alert(some element = some val)
Altri suggerimenti
XSS is usually the attack to read up on when one talks about javascript injection. Basically you load malicious javascript into a web page that can be later used for phishing.
I don't think there are great javascript tools that can uncover XSS vulnerabilities. When it comes to security it still needs a person (preferably security expert) to come up with testing possibly with the help of tools.
While most of the people here reffer to client side javascript injection (aka cross-site scripting)
The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain (a reflected or non-persistent XSS vulnerability).
Wikipedia
with the rise of NoSQL we have a new kind of injections -- serverside javascript injection SSJS which in some sense very similar to SQL injections. Consider to look at this paper (pdf!) that describes both of them.
You could be referring to how you can open up any web page's javascript in a console like firebug and overwrite the functions defined there. by doing that and adding additional code (or removing) you can output data that is supposed to be "encapsulated" in closures... it really can go much further than that, though.
in some browsers you can even do this in the url bar if you don't mind writing in one single line
NOTE: cross site scripting which is something i totally forgot about until nonnb mentioned it. haha duuuhhh
