Questions tagged [javascript]
The common name for the language used primarily for scripting in web browsers. It is not related to the Java language. Standardized as ECMAScript, its dialects/implementations include JavaScript and JScript.
1,370 questions
- Bountied 0
- Unanswered
- Frequent
- Score
- Trending
- Week
- Month
- Unanswered (my tags)
1
vote
1
answer
115
views
JavaScript Control Over New Tab and SOP Behavior
I’d like to ask for some advice regarding controlling a newly opened browser tab using JavaScript.
Here’s the situation: I have my own website hosted at my.site.com, which includes a link to a ...
1
vote
0
answers
122
views
XSS javascript does not execute (bug bounty)
I am doing a bug bounty and i found an XSS injection point. However most tags are filtered and i have been getting no results in executing JS, i can do what ever HTML i want though
here are some ...
0
votes
1
answer
271
views
How to securely load user genereated Javascript code from IFrame into my website?
Before I start, I have found a few related references to this question, but they are not answered previously or are about a slightly different scenario to mine.
I have the following need. I need a way ...
4
votes
1
answer
403
views
How to generate a p12 with javascript generated key pair and server side internal CA
I'm working on a client-certificate based authentication of users for a website.
The server configuration part is OK
(Apache server, keywords: SSLCACertificateFile / SSLVerifyDepth / SSLVerifyClient ...
2
votes
1
answer
354
views
How to create a PDF payload?
Several questions here "hint" at PDF capabilities (executing js code, exfiltrating/probing network, etc)
But If i want to create one PDF that will trigger my internal phishing test url, how ...
0
votes
0
answers
72
views
Prototype pollution in non-recursive merge function
In many guides regarding prototype pollution, "merge" functions are listed as potentially vulnerable. But I'm somewhat confused on how this should actually work if a merge function is not ...
3
votes
0
answers
3k
views
Is it safe to use Internet Archive following its cyber-attack?
This is a follow-up to a question regarding recent Internet Archive hacking.
Website web.archive.org was restored in a readonly mode but is it safe to use it? Looking at the brief disclosure of the ...
2
votes
1
answer
173
views
Why is Google’s JavaScript Accessing 224.32.32.0/24 from the Browser?
I noticed a suspicious network error while trying to enter my credit card information on a page under console.cloud.google.com/billing. The network error indicated that a GET request to https://224.32....
4
votes
2
answers
4k
views
Why should an attacker perform a clickjacking attack when they can simulate the click with JavaScript?
What's the reason why an attacker should choose to perform a clickjacking attack?
If they create a malicious website, they could just perform the action automatically, they don't need to "trick&...
1
vote
0
answers
195
views
WordPress Site Hacked to redirect stripe.js offsite for credit card skimming - Can't Find The Source
We are experiencing an issue on our WordPress site running WooCommerce, for the second time this year where a hacker is injecting some kind of script that is redirecting the stripe.js code from it's ...
0
votes
1
answer
275
views
Predicting math.random after math.floor
I know math.random() in javascript can be predicted if you know the exact outputs of it, but if I only know what it gives after doing math.floor(100 / (1.0001 - Math.random())), how would I use this ...
4
votes
0
answers
85
views
XSS with failing method in the injected DOM within onclick
If I have a DOM XSS such as
<button type="button" data-dismiss="modal" onclick="Register.search('{INJECTION_PAYLOAD}');">
Search
</button>
Where I could ...
1
vote
0
answers
105
views
How to launch XSS code from an INPUT tag?
I have a website with the following code:
<input class="Header--search--form-input" name="search" value="" onfocus="alert(1)" autofocus="...
6
votes
3
answers
2k
views
What is the next layers of defence against cookie stealing if GET parameter is vulnerable to XSS and there is no HttpOnly flag in a website?
If a GET parameter in a website is vulnerable to XSS and the user input is reflected without any change or escaping or filtering and also HttpOnly is not set for session cookie, is stealing the cookie ...
5
votes
1
answer
2k
views
What is the term for when a hyperlink maliciously opens different URL from URL displayed when hovered over?
Is there a term for when an anchor tag opens a different URL than its href or performs some action such as showing a pop-up instead of opening expected URL?
Excluding non-malicious cases such as a ...