javascript injection

Discuss the many weaknesses of browser security and ways to mitigate the threat

javascript injection

Post by DanCardin on Fri Aug 19, 2011 11:32 am
([msg=60994]see javascript injection[/msg])

i may be being dense, but
javascript:alert('Alert box!');
does not work for me in firefox, but it works in Chrome and such. Any idea why?
DanCardin
New User
New User
 
Posts: 4
Joined: Fri Aug 19, 2011 11:29 am
Blog: View Blog (0)


Re: javascript injection

Post by mShred on Fri Aug 19, 2011 3:37 pm
([msg=61001]see Re: javascript injection[/msg])

You updated to firefox 6, huh? Yeah i decided to test the beta out. And when i initially read this, i said to myself, 'he must be doing something wrong.' So i then tried it. javascript:alert('hey'); Huh that's weird, now i must be doing something wrong. Opened internet explorer, copy pasted, boom. Pop up box saying hey. WTF. After a little Googling, i cam across this.
MozillaFuckTards wrote:For security reasons, data: and javascript: URIs no longer inherit the security context of the current page when the user enters them in the location bar; instead, a new, empty, security context is created. This means that script loaded by entering javascript: URIs in the location bar no longer has access to DOM methods and the like, for example. These URIs continue to work as before when used by script, however.

Damn. I used to be completely in love with Firefox. But i've seriously updated it like eight times this summer. And well i lose more and more addons with each update along with shit like this. I suppose me and Firefox are just growing apart..
Mozilla, fuck you.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1740
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: javascript injection

Post by centip3de on Fri Aug 19, 2011 5:20 pm
([msg=61010]see Re: javascript injection[/msg])

mShred wrote:You updated to firefox 6, huh? Yeah i decided to test the beta out. And when i initially read this, i said to myself, 'he must be doing something wrong.' So i then tried it. javascript:alert('hey'); Huh that's weird, now i must be doing something wrong. Opened internet explorer, copy pasted, boom. Pop up box saying hey. WTF. After a little Googling, i cam across this.
MozillaFuckTards wrote:For security reasons, data: and javascript: URIs no longer inherit the security context of the current page when the user enters them in the location bar; instead, a new, empty, security context is created. This means that script loaded by entering javascript: URIs in the location bar no longer has access to DOM methods and the like, for example. These URIs continue to work as before when used by script, however.

Damn. I used to be completely in love with Firefox. But i've seriously updated it like eight times this summer. And well i lose more and more addons with each update along with shit like this. I suppose me and Firefox are just growing apart..
Mozilla, fuck you.


Chrome for the win!
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1426
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: javascript injection

Post by jgreen45 on Sat Aug 20, 2011 1:02 pm
([msg=61029]see Re: javascript injection[/msg])

centip3de wrote:
mShred wrote:You updated to firefox 6, huh? Yeah i decided to test the beta out. And when i initially read this, i said to myself, 'he must be doing something wrong.' So i then tried it. javascript:alert('hey'); Huh that's weird, now i must be doing something wrong. Opened internet explorer, copy pasted, boom. Pop up box saying hey. WTF. After a little Googling, i cam across this.
MozillaFuckTards wrote:For security reasons, data: and javascript: URIs no longer inherit the security context of the current page when the user enters them in the location bar; instead, a new, empty, security context is created. This means that script loaded by entering javascript: URIs in the location bar no longer has access to DOM methods and the like, for example. These URIs continue to work as before when used by script, however.

Damn. I used to be completely in love with Firefox. But i've seriously updated it like eight times this summer. And well i lose more and more addons with each update along with shit like this. I suppose me and Firefox are just growing apart..
Mozilla, fuck you.


Chrome for the win!


Hissssss :evil:
I can't come to bed...
Someone is WRONG on the internet


http://xkcd.com/386/
User avatar
jgreen45
Poster
Poster
 
Posts: 106
Joined: Wed Feb 25, 2009 6:18 pm
Blog: View Blog (0)


Re: javascript injection

Post by DanCardin on Sat Aug 20, 2011 4:53 pm
([msg=61034]see Re: javascript injection[/msg])

i mean i rather dislike the fact that now, i must open another browser to do this, but in terms of your losing addons: addon compatibility reporter shall fix that problem
DanCardin
New User
New User
 
Posts: 4
Joined: Fri Aug 19, 2011 11:29 am
Blog: View Blog (0)


Re: javascript injection

Post by mShred on Sat Aug 20, 2011 5:05 pm
([msg=61035]see Re: javascript injection[/msg])

DanCardin wrote:i mean i rather dislike the fact that now, i must open another browser to do this, but in terms of your losing addons: addon compatibility reporter shall fix that problem

Not always, although that does work for some.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1740
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: javascript injection

Post by Phantom Wolf on Sat Aug 20, 2011 5:39 pm
([msg=61036]see Re: javascript injection[/msg])

mShred wrote:You updated to firefox 6, huh? Yeah i decided to test the beta out. And when i initially read this, i said to myself, 'he must be doing something wrong.' So i then tried it. javascript:alert('hey'); Huh that's weird, now i must be doing something wrong. Opened internet explorer, copy pasted, boom. Pop up box saying hey. WTF. After a little Googling, i cam across this.
MozillaFuckTards wrote:For security reasons, data: and javascript: URIs no longer inherit the security context of the current page when the user enters them in the location bar; instead, a new, empty, security context is created. This means that script loaded by entering javascript: URIs in the location bar no longer has access to DOM methods and the like, for example. These URIs continue to work as before when used by script, however.

Damn. I used to be completely in love with Firefox. But i've seriously updated it like eight times this summer. And well i lose more and more addons with each update along with shit like this. I suppose me and Firefox are just growing apart..
Mozilla, fuck you.

People say you can still use the console for all your JS injection needs.

The updates have been confusing me. Firefox 3 was around for a long time before 4 came out. It seems 4 has only been around a short time, and they're already on 6? As for your addons problem, you can modify the addon so it thinks it's compatible with 5 or 6, works more than you'd expect

I dislike Chrome for two reasons: It doesn't ship with Slackware, and there aren't any Tamper Data-like adons (I've read that it isn't possible)
"Well it isn't my fault. I shouldn't have been allowed to do something to crash it." "No, you shouldn't have been allowed to buy a computer in the first place"
Phantom Wolf
Poster
Poster
 
Posts: 271
Joined: Wed Mar 03, 2010 8:45 pm
Blog: View Blog (0)


Re: javascript injection

Post by centip3de on Sat Aug 20, 2011 11:01 pm
([msg=61040]see Re: javascript injection[/msg])

Phantom Wolf wrote:
mShred wrote:You updated to firefox 6, huh? Yeah i decided to test the beta out. And when i initially read this, i said to myself, 'he must be doing something wrong.' So i then tried it. javascript:alert('hey'); Huh that's weird, now i must be doing something wrong. Opened internet explorer, copy pasted, boom. Pop up box saying hey. WTF. After a little Googling, i cam across this.
MozillaFuckTards wrote:For security reasons, data: and javascript: URIs no longer inherit the security context of the current page when the user enters them in the location bar; instead, a new, empty, security context is created. This means that script loaded by entering javascript: URIs in the location bar no longer has access to DOM methods and the like, for example. These URIs continue to work as before when used by script, however.

Damn. I used to be completely in love with Firefox. But i've seriously updated it like eight times this summer. And well i lose more and more addons with each update along with shit like this. I suppose me and Firefox are just growing apart..
Mozilla, fuck you.

People say you can still use the console for all your JS injection needs.

The updates have been confusing me. Firefox 3 was around for a long time before 4 came out. It seems 4 has only been around a short time, and they're already on 6? As for your addons problem, you can modify the addon so it thinks it's compatible with 5 or 6, works more than you'd expect

I dislike Chrome for two reasons: It doesn't ship with Slackware, and there aren't any Tamper Data-like adons (I've read that it isn't possible)


I'm actually using a version of Tamper Data on my Chrome....
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1426
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: javascript injection

Post by Phantom Wolf on Sun Aug 21, 2011 1:05 am
([msg=61042]see Re: javascript injection[/msg])

centip3de wrote:I'm actually using a version of Tamper Data on my Chrome....

Really? They must've changed things. Before, I read that addons couldn't modify headers in Chrome
"Well it isn't my fault. I shouldn't have been allowed to do something to crash it." "No, you shouldn't have been allowed to buy a computer in the first place"
Phantom Wolf
Poster
Poster
 
Posts: 271
Joined: Wed Mar 03, 2010 8:45 pm
Blog: View Blog (0)


Re: javascript injection

Post by centip3de on Sun Aug 21, 2011 2:47 am
([msg=61043]see Re: javascript injection[/msg])

Phantom Wolf wrote:
centip3de wrote:I'm actually using a version of Tamper Data on my Chrome....

Really? They must've changed things. Before, I read that addons couldn't modify headers in Chrome


Look up 'Request Maker' ... I don't think it's the same thing as before, but from what I've read it's pretty darn close...
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1426
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Next

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests