-
May 7th, 2003, 02:17 PM
#1
Member
javascript:()
First of all, don't confuse with this onClick stuff, it has nothing to do with <script>.
I want to know how to use javascript in this way:
javascript:alert(blah)
that works in this:
[img]javascript:alert(gg)[/img]
so i don`t wanna use <script> stuff, i need to know how to move someone's location using the above method, i`d guess it'd be somethign like:
javascript:document.window=www.blah.com
but it isn't.
if you know what i`m talking about (javascript being executed within a link (and not onClick)) then please tell me how.
-
May 7th, 2003, 02:25 PM
#2
And why would you be trying to do that? Are you trying to avoid someone's filtering of <script> ?
You probably want something like window.open..but I am hesitant to say anything more without you saying why you are wanting to avoid the <script> and what you are trying to accomplish...
A good reference for many things: http://devedge.netscape.com/
A good reference for javascript is from : http://devedge.netscape.com/central/javascript/
Gives very good index of all javascript commands, what they do, what args they expect, etc.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
May 7th, 2003, 02:51 PM
#3
Member
Because I have a user system in PHP, and a friend exploited it by making you go to his site when you viewed his profile, he said he used javascript: things, but he won`t tell me anymore, so now i want to pay him back
-
May 7th, 2003, 03:15 PM
#4
He probably used XSS (Cross Site Scripting) to exploit your pages.
Go to http://www.cgisecurity.com/articles/xss-faq.shtml and learn what it is and how to prevent it.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 7th, 2003, 03:19 PM
#5
Member
Yeah I know it's XSS, hence the JS.
I've been going to that site for a while, the admin knows his stuff about web security, he`s a friend of a friend.
-
May 22nd, 2003, 08:35 AM
#6
Junior Member
most website filter "javascript"
-
May 25th, 2003, 03:56 PM
#7
Junior Member
I've heard a lot of XSS and its kind a weird coz i thought its css. It's gaining popularity among hackers for creating holes in government and commercial establishments.
-
May 25th, 2003, 07:25 PM
#8
Member
thats because XSS is a very easy way to manipulate pages, either changing them, or accessing data you arnt supposted too.
sectac
The Hack Back Revolution
irc.dal.net:#guesswhatyourhacked
-
May 25th, 2003, 11:13 PM
#9
I think so far most of have underestimated how hard it is to acctually expliot a XSS. and gain some information from another user.
Yes it is easy to prove that an XSS does exist "<script>alert('hello')</script>" will prove that. However it is much more complex to actully put a xss vulnerability to work. The main problem faced is how once you extracted the information you require (lets say a cookie), is how the attacker passes the informaton on to themselfs so they can read it.
Even if they manage to get the information, there is still the code on the site with the XSS linking back to them, so it is very hard and complex to get away with.
SittingDuck
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
-
May 26th, 2003, 04:46 AM
#10
Well, it's relatively easy to steal a session id from a cookie and have it sent to a netcat listner (for example) with an document.location redirect with the session id as parameter... The netcat listener ca be on a compromised "third party" and forward the info without any log of it...
Of course, this would be on a site *completely* vulnerable to XSS, without any input filtering at all... Having even only *some* filtering can make such attacks much more difficult...
Ammo
Credit travels up, blame travels down -- The Boss
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|