Can I execute JavaScript on a foreign webpage using PHP? - javascript

I want to write a PHP script which executes code on a foreign website just like using the JS-console on that webpage. I don't want the server to act like the client on that certain webpage.
To make it even more difficult, the JavaScript must be executed on a different frame (when executing the JavaScript manually I'd switch to the correct console by clicking on the specific Frame in the dropdown menu above the console (Chrome)).
If I try to do something nearly impossible here, please don't hesitate to tell me exactly that.

You should try to describe what your end goal is. You are probably going down the wrong path here. There is no way to add javascript to a page that you don't serve yourself.

If I understand what you mean (and more detail would really help here). You want to automate something that you can do manually on a browser yourself, by manually running javascript on a webpage (via the console). The only reason I can think you would want to do this is to trigger an Ajax request/API call or submit a form.
This is technically possible, but it would be better to look for an actual API that you can talk to directly; you could do this by inspecting the network tab of the developer tools, but if they don't have a public API you may have to do a fair amount to fake the request; and if anything changes on the server it could all stop working.
If they don't have an API that you can call, or if they have put measures in place. Then there is a good chance that you are trying to misuse a website; and they may well put further measures in place to stop you (this is why captchas exist).
If you can figure out the details of a request to send, then you could use CURL to make the request - this page may help: https://davidwalsh.name/curl-post
If you really still find that you need/want to actually run javascript on a remote page, then this is "browser automation", and while technically could be triggered from PHP - requires much more to make it possible. Selenium is primarily used to automate tests, but would allow you to do this: http://www.seleniumhq.org/ via JavascriptExecutor but I would recommend you do some futher searches for tutorials, as it's too large/broad to really cover here:
https://seleniumhq.github.io/selenium/docs/api/java/org/openqa/selenium/JavascriptExecutor.html

Related

How does the security in the onClick tag prevent javascript injection?

I've been thinking, how is the onClick tag secure (as well as other tags)? I mean, Anyone can put whatever javascript they want to execute when they trigger the onClick, what prevents someone from injecting malicious code?
The browser client is inherently insecure. It is a completely insecure execution environment and you cannot really secure it in any way.
The way to think about this is that you do NOT control what happens in the browser. All sorts of code can be injected, modified or run in any browser (via bookmarklets, console, direct DOM manipulation including adding arbitrary onclick handlers, proxy modification, debugging tools, etc...). So, your client is inherently insecure. Once you accept that the browser is fundamentally insecure, it's easier to understand what you need to do on your server.
That's why YOU have to validate and sanitize any results that arrive at your server from a client. You must do this on the server in order to prevent bad data from getting into your server. You must not trust that any data being sent to you is correct or valid. Instead, you must validate it completely on the server before using it.
You can almost think of it like any form submission or Ajax call or a URL with query arguments or a structured URL that your server accepts is an API call to your server and you have no idea who is using that API and whether they are using it correctly or not. Thus, you must assume nothing about the validity of the data or request as it arrives until you've checked it yourself on the server to see if everything is valid.
FYI, there are various techniques such as "data or function hiding in closures", code obscuration, etc... that make it more difficult for someone to mess with certain parts of your Javascript. But, it is important to understand that these are only temporary roadblocks to the determined or skilled hacker and do not offer actual security and should not be relied upon for security. The skilled hacker can literally replace your entire Javascript with their own modified version which pretty much means there's nothing you can do in your client-side Javascript to protect it.
Absolutely nothing prevents a client from running malicious javascript or using other developer tools. (e.g., adding form elements)
That's why it's up to you to keep your server-side scripts secure. (Sanitizing user input, etc.)
The problem is not usually whether or not a single user can run any JS in their own browser on their own computer.
The problem is when you are allowed to save that script to the database without sanitising it first and it then gets rendered on the page for everyone else to see and execute. Then, suddenly, they can execute code on other people's machines, steal their details, etc.
In other words, if you allow users to specify HTML markup in their comments, for example, and you don't search that markup for <script> tags, onclick attributes, etc and remove them before you save it to the database, then you have a potential problem. It becomes an actual problem when you fetch that saved markup from the DB and display it on the page somewhere without removing any JS-related functionality.
There is no protection. From the developer console/inspect element, you can modify the code in the tag. However, only you can see the modifications that you make in the inspect element, they aren't saved permanently. So other users who visit the site cannot see the code you entered inside of the developer console.
What prevents the people who make the page from putting malicious code into the onclick? Well, it's impossible to have truly dangerous code in javascript, the worst a website can do to a computer is crash the browser. So javascript is pretty safe.

is there way to compress javascript with my own method?

I wanna know, is there a way to compress javascript with a method that cannot be easily uncompressed by another?
I have used some tools like jscompress and other products. They're nice and useful, but they provide methods to uncompress/decode script too. The problem is other programmer or maybe hacker, can easily uncompress my script, the impact is my js ajax link, variable can be seen by the hacker. You know that what happen if they found our link. Maybe post direct value via ajax etc.
There is not a way to do this in client side javascript, it is inherently insecure. You should be using a call on your server to hide your API key.
FAQs from the w3:
http://www.w3.org/Security/faq/wwwsf2.html
If by your question you mean that you do not want the variables and Ajax links in your script to even be accessed by others ever, then you are talking about encryption, not just compression.
If the code was truly encrypted so that the Ajax links were not recoverable, the browser could not decrypt and therefore not even execute the script.
Obfuscators will make your code fairly illegible, but you are not going to be able to hide destination URLs in Ajax calls from hackers. All one needs to do is look at the browser's developer tools and watch the network calls.
It's important to design your application with the assumption that users and hackers are able to see all the JavaScript. If you can keep it secure under these conditions, that's ideal.
So if the question is just about making your code hard to read, obfuscate. But the kind of security you seem to be asking about needs to be done server side.

Why does this link to a JS file return Unauthorized, but it works in HTML?

Is it possible to not allow people view one of my website's JS file?
Demo:
http://js.maxmind.com/js/geoip.js
If you copy the URl and paste it in the browser, it will say "Unauthorized". But if you put it inside the HTML, it will do it's work.
Can I do that with my code.js file?
JavaScript is an interpreted computer programming language. It's not being compiled and it runs on the client's browser/computer, therefore, the client must see the script in order to execute it. That's why you cannot hide the code.
You can define in your server folders as restricted and that means the user can not access them directly, but when the browser loads the page it have to load all the components such as images, css files, js files etc...
If the browser can load them, it means the user can see them as well.
For example, you can also define that users are not authorized to see any .jpg files but they can easily save any image. Actually the browsers usually saves the images anyway on your local computer and cache them, so next time you load the page, it won't have to download files that weren't changed again.
As others already mentioned, trying to hide a js code is very bad practice and you need to avoid it. If you want the make the life hard for other developers that wants to copy your code you can use this site to obfuscate your js code, but remmeber, it only makes it harder to read by humans, it does not provide you any security.
First, let me explain loud and clear: that is the worst security I can imagine for what it is trying to do. It is just shouting, "HEY NOBODY LOOK AT THIS INSECURE FILE."
Your question has been viewed 41 times so far. That means up to 41 people are wondering what that mysterious does and probably half of them can find easily out. In short, don't do this.
There is no client side security. I refer you to this answer, for instance.
As for how to implement the situation, as noted in comment it's probably done by checking the referrer header. To find out fully check the request headers in the dev tools in your browser and compare to the request headers used by curl (e.g. by using a post bin).
It is not possible to not allow people to view one of your website's JS files.
To be more precise, if someone can execute your JS file, they can view it.
Although you cannot prevent a user from being able to look at your javascript you can make it extremely difficult for them to understand what they are looking at through obfuscation or minification, for the latter there are many services that will do this for you; look at this for example. As for obfuscation I don't know of any way to do it automatically but it would be a similar approach.
If you have information in the javascript that you truly cannot allow a user to see, then I would suggest moving it into the server side code and only pass to the javascript the absolute minimum. As I am not sure what you are using on the server side I cannot give you a specific example; however in the past when using MVC I achieved this by passing the values I needed either to a hidden input ( if the value needed to be posted back with a form) or through jQuery.Data

Executing code immediately after navigation: Browser plugin?

I am building a tool which uses (dynamically inserted) JavaScript to modify webpages. Any webpage.
The idea is to allow a user to use it to record a series of changes to an existing webpage like google.com, (for the sake of example suppose a change is to apply a 10 pixel solid black border to all <img> tags, this change can obviously be encoded as a short and sweet snippet of jQuery), and the tool generates a link (or identifier) that contains this metadata and the url representing the "starting point" if you will (in this case google.com).
Now the problem I've run into is the entire Same-Origin security policy, whose purpose is to expressly deny the exact kind of thing that it seems like I need to do.
What I need to do is essentially navigate to a particular site, and then execute javascript in the context of that site. Neither I (the author of the tool) nor the user with whom I share my script necessarily have control over the site, so in theory the security model if implemented properly should prevent this concept from working.
Because of this I cannot have a single clickable link that kicks off the process of running my code on some site. It totally makes sense too. It would make it trivial for an attacker site to send a disguised clickable link that will run code that acts as me on any site they want.
But, the way to get around it is to tell the recipient to do a single additional step. First they open the URL of the site just like normal, then they paste a bit of javascript:(function(){.....})(); into the URL/omni bar. That is (AFAICT) completely legitimate and should be permissible because the user understands that this script is being executed. Whether or not it should be allowed to run JS so easily at this point is more or less irrelevant, as it basically just works everywhere now.
This isn't too bad but I think the user experience suffers unnecessarily. For example it looks like a native app would be necessary to get any better than pasting the JS into the URL bar on an iOS device for example, but on a plugin-accepting full browser it seems like a plugin can achieve what I want.
Which is: a navigation to an arbitrary URL followed by code execution (this code originating from an authorized source) with one click.
But I'm not sure where to start. What API could provide me this ability? I am hoping I can get away with Greasemonkey-type scripting (as Greasemonkey compatible plugins are available for pretty much all the good browsers), but I can't tell if there is enough power available.
I am actually still a little unsure about security related problems with this. I used to have a huge paragraph here but it all boils down to "social engineering".
This kind of things are generally done with bookmarklets.
On your website featuring your script, create a link that has href="javascript:(function(){/* ... */})()". Then a user could simply drag and drop that link into his favourites (bookmark it). And use it as button in a favourites bar.
Your bookmarklet could contain directly your script, or a simple loader that injects a <script src=http://mywebsite.com/script.js"> tag into the document, this way you can update your script and "distribute" it directly to all users.
Security is always about knowledge. Or to put it the other way around: Not knowing something makes you feel insecure.
There is no secure way to do what you want which is my web browsers forbid it by default. There are workarounds (like pasting the URL as you explained above) but all of them are only secure as long as the user knows what she is doing.
That being the social implications. Now the technical solutions:
You try a bookmarklet
You can use a browser plugin like Greasemonkey
Both allow to run arbitrary JavaScript. The former needs explicit permission from the user each time, the later one does it automatically.
Of course, if you move the core of the functionality to a remote place, it would be hard for even knowledgeable users like me to understand and trust what is going on.
That is when the meat of the function isn't in the bookmarklet or the greasemonkey script and when you instead add a <script> tag with a remote URL. That would make it harder to make sure your script doesn't do something "odd". For example, you could return a different script when I try to download the JavaScript without using your bookmarklet.

Not sure how to deal with javascript and mechanize in this specific instance

I'm going to be accessing a number of accounts on Amazon's KDP - http://kdp.amazon.com/
My task is to login to each account and check the account's earnings. Mechanize works great for logging in and dealing with the cookies and such but the page which displays the account earnings uses javascript to dynamically populate the page.
I did a little bit of digging and found that the javascripts sends out the following request:
https://kdp.amazon.com/self-publishing/reports/transactionSummary?_=1326419839161&marketplaceID=ATVPDKIKX0DER
Along with a cookie which contains a session ID, a token, and some random stuff. Every time I click a link to display the results, the numerical part of the above GET url is different, even if it's the same link.
In response to the request, the browser then receives this (cut out a bunch of it so it doesn't take up the whole page):
{"iTotalDisplayRecords":13,"iTotalRecords":13,"aaData":[["12/03/2011","<span
title=\"Booktitle\">Hold That ...<\/span>","<span
title=\"Author\">Amy
....
<\/span>","B004PGMHEM","1","1","0","70%","4.47","0.06","4.47","0.01","0.00",""],["","","","","","","","","","","","","<div
class='grandtotal'>Total: $ 39.53<\/div>","Junk"]]}
I think I can use mechanize's cookie container to extract the cookies which are a part of that request but how do I figure out what that number is and how it's generated? The javascripts in the source code of the page seem cryptic on the best of days. Here's one of them:
http://kdp.amazon.com/DTPUIFramework/js/all-signin-thin.js
Is there a way to really track down what javascripts are running "behind the scenes" so to speak after I click on something on the page so that I can emulate that request in conjunction with mechanize?
Danke..
PS: I can't (or, rather, I don't want to) use watir for this task, because in theory I might be handling more than just a handful of accounts so this's gotta be pretty snappy.
It's just a timestamp and it's only used for cache busting. Try this:
Time.now.to_i.to_s
Mechanize doesn't run JavaScript that is embedded in the page. It only retrieves the HTML.
If the page contains JavaScript, Mechanize can see it and you can use Nokogiri, which Mechanize uses internally, to retrieve the <script> tags' content. But, anything that would be loaded as a result of the JavaScript being executed in a browser will not run in Mechanize. Watir is the solution for that, because it drives the browser itself, which will interpret and run the JavaScript in the page.
You can step through the pages in a browser and look at the source code to get an idea what is running using FireBug. From that information you can get an understanding of what the JavaScript is doing, and then use Mechanize and Nokogiri to extract the needed information from a page that lets you build up your next URLs, but it can be a lot of work.
What you ask is similar to many other's questions regarding Mechanize and JavaScript. I'd recommend you look at these SO links to get alternate ideas:
Mechanize and JavaScript
Ruby Mechanize not returning Javascript built page correctly
Or search Stack Overflow for questions about Ruby, JavaScript and Mechanize.

Categories