Downloading excel files from MS Planner trough a script - javascript

So I have to automate a process that downloads an excel file from Microsofts Planner website.
I have tried doing this 3 Different ways and have always hit a dead end. The only solution that seems to work is a script that imitates keypresses but is considered "bad practice" at my workplace.
First was obviously to use Microsoft Graph. It doesn't work because it would have to request for permissions from our companys MS ADMIN every time it makes an request. So thats a no go.
Edit: As #Crowcoder tried to anwser the post, his solution does not work. For it to work we would have to register into Azure Active Directory and we currently don't use it. (We use the MS local AD).
Then I have tried using GnuWin32 (Wget for windows). Doesn't work as it requires you to login 2 times and you can only put in creditentials once (Or maybe you can ? -> Couldn't figure out how).
After that I have tried to use the command for powershell. That comes close but also requires me to login with a popup.
Edit: Here we see the anwser from #lit which does not fit either. I have tried the solution and it promts a Google chrome alert login, and then also the MS Planner login (but you can put your creditentials only once as shown in the code below this).
Export-PlannerUserContent -UserAadIdOrPrincipalName -username -ExportDirectory "C:\pathToExport"
And for the end part the only solution that seems to work is the last one where I imitate keyboard presses to download the file. How the program runs:
Open up chrome(With a shortcut to MS planner website)
imitate keyboard presses to open DEV Console (ctrl+shift+J)
Imitate keyboard so that imputs text(Javascript) to click the login into planner (if it exists, if not the function returns an error and skips this part)
Imitate keyboard so that it inputs JS function that finds the necesary button and opens/presses the download button.
after that it selects the 2nd pland and downloads it aswell (Same imitation of a keyboard textinput).
While this solution is the only one that "Works" I have been told that I should find a different solution as the keyboard simulator is not a viable solution for our company because of strict policies we have. Another reason why it cannot be used is because im trying to make this script run on our server with a service account that has no GUI. So I hit some sort of a dead end there as well.
EDIT: So What i'm trying to do here is implement a "headless" chrome that would do what it does now but can't seem to find a break trough.
So my question is does anybody have any tips, pointers or suggestions for improving the existing solutions or creating alternative ones that would be more appropriate.
Would love to hear your opinions on what I should research or do.
I would also like to note that most API Calls don't work without heavy proxy configuration which I would like to avoid if possible.

Related

Can a browser's dev console continue executing JavaSript after a new page loads?

I'm trying to automate some online work through JavaScript and the Firefox (or Chrome) dev console. The work is mostly inputting the same (or similar) data on the same exact pages for many many people.
Example:
unique id
date 1 and 2
some more numbers
I wrote a very simple script that runs in the console and enters the data just fine.
The Problem
My script stops execution whenever it requires the page to reload or it loads another page. I cannot find any information on how to continue executing a script after a page has loaded.
My Limitations
I'm basically limited to what's on FireFox, Chrome, or Edge. Unfortunately, I cannot download any programs or tools that would make the automation any easier right now. Otherwise, I would just use Selenium and Python.
What I've Tried
First I tried to use the script that I describe above (simple DOM manipulation)
Then I tried to use the Selenium browser add-on, but I had to enter a starting URL for it to run. Selenium was not able to get past the login page of our system which is the only static URL that I can use as a starting point.
I then tried to use the Firefox Browser Console (different from the dev console) because the documentation seemed to suggest that I can use JavaScript on the entire browser (not just one tab). Unfortunately, I cannot find any helpful information on how to use the browser console for DOM manipulation. Everything that I search for points to how you create a browser extension, add-on, or how to use JavaScript on your own website.
What I Want To Do
I want to create a script that runs in a dev console. The script should take all of the data either from a separate page or an array then enter the data on each page for each person. I'll also have it prompt the user to verify the data before submission.
What I'm Looking For
What I'm hoping to get from this question is at least one three things.
An answer to the question's title.
Being directed to documentation or some other solution that can solve any of the above problems.
Being told if this is impossible and why by those who have more experience than me (I don't understand if the problem is just a lack of knowledge or limitations on the tools themselves.)
I think you can create a chrome extension and put your code in the background service worker. or use workers read this link

OWASP ZAP Not receiving Alerts for subsequent active scan

I have been using ZAP to find any final kinks for a website I'm working on. Everything is working great except for I've noticed that there are no alerts being logged in the ZAP gui when I run an active scan following a passive spider.
The initial passive scan for a new session logs alerts just fine but I'd really like to see the alerts from the active scan. Am I missing something? I tried restarting a new session and going straight to attacking but it's still not logging anything. Does it maybe need to finish before it starts logging the alerts? I have checked the generated html report and it doesn't indicate whether the alert was flagged by a passive or active scan so I really can't tell. I doubt there are so few vulrnabilities in my little web app.
If anyone has an idea as to what setting I'm missing or if I'm doing something wrong I'd appreciate the advice.
Ah, I think I may have found what was going on. I checked the real time scan progress and ZAP skipped many attacks because of low rule limits I set to speed up the scan.
How are you exploring your app?
The number of requests are very low, that suggests to me that you are not exploring your app effectively.
You can either explore the app manually (which proxying your browser through ZAP) or using automation via:
The standard spider (fast, but doesnt handle javascript so well)
The ajax spider (slower, but launches browsers so handled JS well)
Your own unit tests (good but only if you have some)
Have a look at you app in the Sites tree - if it doesnt appear to be showing as many pages as you expect then you need to focus on exploring your app more effectively.
The active scanner doesnt do any exploring, it only attacks the urls you've found by other means.

Protected Content - How to make the Right-Click and F12 don't work in your website?

I want to make the Right-Click don't work in my website or give a error that says: Protected Content! The reason I want to do this is because I don't want others to see my Source Code. I know that you can make the Right-Click to not work but I am not pretty sure about F12. If there is no way to make the F12 key to not work is there any way to hide the Source Code form others? I saw a similar website today. If you right click on this website you get this:
F12 works in this website but the Source Code is hidden anyway. How can I archive similar results? Thanks for your time :)
Answering the question overly honesty:
First you must avoid publishing the site on the Internet. Make it available only on your private machine(s) you have total control of. Make sure there are no USB ports exposed to users etc. Also, no internet access of any kind. They may just download some hacker tools this way. If you do not need text input, even better, keyboard can be used to type in some hacker tools as a source code and this way steal your precious sources.
Next make a custom build of a browser. You may want to use tools like Electron instead of generic browsers this way you will end with app that runs only your website and has no developers tools nor address bar nor anything other that may be used to gain access to your precious source.
Install Linux, create new user account with minimal privileges (no write access anywhere) and let it use X without any window manager. Only your electron app with your precious website and no menus that could be used to access some hacker tools like text editor that may reveal your precious source code. Also, configure the account to have complex random password so that users do not start another session in text mode and see your source code.
Remember that hackers may use means like timing attacks, side channels or other hacky means of stealing your code. To prevent that cover walls of the room you store your computer in with a metal grid to make a Faraday cage. Check all people entering and deny them bringing any electronic devices with them. Same for analog photo cameras or paper notebooks. Better safe than sorry: they may reconstruct your site source code based on how it looks like.
Or just accept the hard truth nobody cares about your website source code. There is plenty of places you may copy paste your code from and your website is not the most interesting one. And if you do that to prevent hackers, you have to write secure code (and test/audit it), not to hide it.
Short answer: Browsers, which render your website, are a client-side technology, and there is no way you can control who is going to see or not see your source code.
Long(er) answer:
Browsers download your website, together with it's source code the website onto users computer. Which means they can manipulate it however they see fit. There are some scripts that can ban right click or other types of interactions, but if you try to stop developers from inspecting code (and if they are ispecting, it's a good bet they are developers) they will find a way even if you block f12 or right click. You can always download website, use crawler, open in notepad, etc. etc.
You may want to investigate minifying and/or uglyfying HTML code, but it's no cryptography - again, if someone wants, they will find a way to undo that.
Also, I'm curious, why would you want to do that?
You can do this using window events but still there are ways to read your code.
For example fetching js without execution or disabling js in browser for a moment.
window.addEventListener('keydown', e => {
if (e.key === 'F12') // detect f12
e.preventDefault()
})
window.addEventListener('contextmenu', e => e.preventDefault())

Create 'safe' JavaScript for use on Internet Explorer

http://i.imgur.com/s4ZQI.png (Can't post image because I'm a new user)
Age old question; is there any way to make a piece of JavaScript safe to use on Internet Explorer without having the security warning popup box. The JavaScript I'm using is simply a drop-down sub-menu that appears when you hover over a link.
If it's something to do with the way the JavaScript is coded, I can link if needed.
Thanks
Assuming that your problem is caused by testing pages from your local disk (and not through some really esoteric scripting) either:
Run a web server and test your pages on that
Give your pages the mark of the web
The point being to run them in a security context that allows scripts to execute.

Norton 360 is thwarting my javascript -- what should I do?

One of my clients has Norton 360 installed on his computer, and it's interfering with the javascript in my web pages. Not all JS, just some.
Simple things like
<a href="page.html" onclick="somefunc(); return false;">
don't work. Also using jQuery to attach on onclick event to an a tag doesn't work either:
// doesn't work
$(document).ready(function() {
$("#old_trans_link").click(viewOldTrans);
});
What should I tell my client? What should I tell our users? Is there any way around this madness?
Everyone doing JS heavy pages must run into this. How do they deal with it?
Edit: He also has McAfee installed at the same time.
I've never heard of anti-virus interfering with in-browser JavaScript in that way. My best guess would be that they have their virus scanner running at a very aggressive security level.
The easiest options, in terms of amount of work required to address this issue would be:
Recommend your users lower their security settings
See if they can whitelist your site so the application will work correctly
Recommend a browser other than Internet Explorer, or suggest they install Chrome Frame
Of course, if these are not feasible options, you may have to go with a more simplistic approach to using JavaScript on your page. Instead of requiring JavaScript on the site, use it to enhance the site and make features easier to use.
To do this, you would have to make everything on your site work with JavaScript disabled. Have everything perform POSTs to the server for processing. JavaScript would sit on top of all of this to enhance the experience for users who have JavaScript working. In this scenario, things like anti-virus blocking click events on anchor links would end up with a submission to the server.
Of course, this is a lot more work on your part because it almost requires writing 2 versions of the site. This is an argument that is brought up all the time online, even when developing StackOverflow, as was discussed on their blog.
You're better off telling them to add an exception for your site.
They probably are using some sort of web shield I assume. Try asking them to add an exception to your site
Edit:Adding Link
http://www.symantec.com/norton/360
Under "Advanced Protection"
"Blocks browser, OS, and application threats; protects against infected Web sites"
So I assume there should be a way to add an exception

Categories