How can I identify what JavaScript website is running? - javascript

Some websites have JavaScripts which are used for browser fingerprinting. I know these type of scripts check and send data back to server like: browser user agent, screen resolution, fonts list and etc. So my question would be: is it possible to inspect these scripts from client side? If yes, how?

you can list all the scripts used by newer browsers thanks to performance.getEntries():
var scripts=[].slice.call(performance.getEntries())
.map(function(a){return a.initiatorType==="script" && a.name; })
.filter(Boolean);
alert(scripts); /* on this page in console: ["http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js", "http://cdn.sstatic.net/Js/stub.en.js?v=aa4bf2e33f9d", "http://cdn.sstatic.net/Js/full.en.js?v=207a95000ab6", "http://cdn.sstatic.net/Js/snippet-javascript.en.js?v=3a04bf1d3cc0", "http://cdn.sstatic.net/Js/post-validation.en.js?v=59400b6b717e", "http://cdn-prom.sstatic.net/WinterBash/js/core.js?2", "http://cdn.sstatic.net/Js/external-editor.en.js?v=49dac339584c", "http://winterbash2014.stackexchange.com/api/is-participating?callback=wbParticipating2682405&accountId=2682405&host=stackoverflow.com&_=1418692483862", "http://cdn.sstatic.net/Js/wmd.en.js?v=988f5766f506"] */
if you know of any bad-behaving filenames, you can detect and counteract them, or feed the list of urls to something that can fetch and scan the script contents themselves; not sure what your end-goal is here...

Yes, it is possible to inspect any script on any website with the right debugging tools and time to sort through things.
For any given web site, you can run a debugger like the Chrome debugger, open the network tab and see all network requests that the browser makes. You would then have to sort through those requests to see which ones contained the information you are looking for. If you then wanted to find the scripts responsible for those requests, you'd have to work backwards in analyzing the site and scripts to figure out which script contains the code making the request.
I am not aware of any automated way to detect exactly which requests contain the information you want. Tools like Disconnect.me automatically shield your browser from some common tracking techniques of some common services, but that tool can also cause problems on some sites where the site won't then work properly.

Related

Open devTools in chrome, and select "Network", click "XHR", and there are extra information in any page [duplicate]

When I'm viewing the downloaded resources for a page in the Chrome web inspector, I also see the HTML/JS/CSS requested by certain extensions.
In the example above, indicator.html, indicator.js and indicator.css are actually part of the Readability Chrome extension, not part of my app.
This isn't too big a deal in this particular situation, but on a more complex page and with several extensions installed, it can get quite crowded in there!
I was wondering if there was a way to filter out any extension-related resources from this list (i.e. any requests using the chrome-extension:// protocol).
Does anyone know how I could achieve this?
Not quite the solution I was after (I'd have preferred a global setting), but there is now a way to filter out requests from extensions, as mentioned by a commenter on the issue I originally opened.
In the network tab filter box, enter the string -scheme:chrome-extension (as shown below):
This is case-sensitive, so make sure it's lowercase. Doing this will hide all resources which were requested by extensions.
Just enter "-f" in Network field
Was having the same question when my extension adds a lot of noise in the network tab.
Some extensions also fire a lot of data like data:text/image etc, you can append more filter with - like:
-scheme:chrome-extension -scheme:data
Another way to get the http/https requests is to just use scheme:https without - because the resources that extensions request are usually from their local bundle:
scheme:https
An Incognito Window, can be configured to include or exclude extensions from the extensions page of Chrome settings.
One alternative is to go to "Network Request blocking" tab and add "chrome-extension:" to the list, thus extension requests will be blocked and coloured red so it's easy to visually filter them out.
you can simply enable this option and requests from extension will be group.
Update: It can only group requests that create by the extension that draw iframe, such as cVim

Coding browser extensions, Addons, Firefox, Safari, Chrome etc… Is this possible?

I'm not very familiar with browser extensions and before I begin to deeply explore them I have a few questions.
Let's say the extension injects JavaScript in the current website the user is visiting (if that's even possible). That injected JavaScript code will get, let's say the current URL for example purposes, and send it and store it on a database. Next time the user visits the same website, the user will get an extension notification informing that is the second or third or X time he or she has visited the same website.
Now that I have gave you the scenario, is the following possible? Injecting JavaScript from a browser extension to the current visiting website. If so, can I make some AJAX communication with the JavaScript and a PHP server?
Yes, you can inject stuff. See e.g. Insert code into the page context using a content script and How to inject javascript into page, from a Firefox add-on, and run it? or one of the many dupes there likely are.
You can then use whatever communication would be available between the site and a server, e.g. XHR, WebSockets, JSONP.
Please also check the policies of the Chrome Web Store and Mozilla Add-ons site regarding content/code injection and privacy rules. E.g. the Mozilla Add-ons will reject your add-on if you injected remote scripts (meaning code that is not bundled, e.g. originating from e.g. http:) and may also reject your stuff if you track users without prior explicit user consent.

Advert javascript not being served correctly to the browser unless called directly?

I hope this is the right place to ask this question - I did have a look at the rest of the sites in the network but this looked like the most appropriate place.
We are having issues serving third party adverts on our websites. For various reasons our ad setup is a bit complicated - we serve third party javascript tags (AppNexus) through our own ad server (OpenX) through iframes. Currently, the third party javascript tags are not showing correctly, although they have worked just fine in the past.
Debugging this in Safari I have discovered a few things which seem to me to be a bit unusual, and I'm struggling to work out what's going on. Using the web inspector to check the third party's javascript, it appears in the web inspector as a blank file. Additionally, if I check the network tab, the headers are shown and look fine, but there is no 'content' tab with which to check the returned content. The network tab shows the request for the file as complete, and with suitable status codes (200/302):
http://cl.ly/401C1D3Y3u2G2k2k3s0x
However, if I load the file directly in the web browser, it loads fine:
http://ib.adnxs.com/ttj?id=694021&cb=[CACHEBUSTER]&pubclick=[INSERT_CLICK_TAG]
FWIW, the javascript file uses document.write to spit out either an image or another iframe. It's also worth mentioning that there are no related errors in the console - there is one relating to Google Ads, but the problem persists if I load the Ad server's iframe directly without the rest of the site.
Has anyone seen this behaviour before, where a file loads just fine directly, but is (blank / not retrieved / not parsed / whatever's going on) when called as part of another page? If so, would you be able to help me fix this?
Thanks in advance for any help you can give me - I hope this makes some sense and will be happy to provide any further information that might help me get to the bottom of this!
Ollie
I'm guessing that the third party site is filtering output from their servers based on the HTTP referer being sent in the request (a technique employed by many web hosts to thwart hot-linking content). Try putting the link to the javascript file in a clickable link on a web page on your server and click it and then see if it loads or if you get a blank page. You could also try loading a browser extension which lets you forge the HTTP Referer (such as RefControl for Firefox) and then change your refer to be your site instead of the third party's and try pasting in the URL to the browser and see if it loads.
This isn't your fault if it's what turns out to be the actual problem. It's up to the third party to configure their web host to allow for this.

accessing elements of a child window via javascript in a parent window across domain AND protocol

I'm building an automation tool at work, and I've hit a bit of a snag... The task is to automate the laborious process of navigating a large web-based GUI which sends queries to a database based on the values entered in various fields. We do not have access to the database itself or the server on which the web-GUI is located. Furthermore, the protocol for the web-GUI is https. Is there any way to have javascript open the web-GUI in a new window and then act on it [clicking buttons, reading returned text strings etc.]? The implementation doesn't have to be javascript (autoIT would do the same job much more easily) but I am curious as to how the access denied errors might be overcome. I have read about certain workarounds, but none of them went so far as to actually attempt to interact with elements of the cross-domain document. I have also discovered easyXDM, but it doesn't solve the protocol discrepancy, and I'm not certain it would work for my situation anyway. Any input would be appreciated!
thanks,
CCJ
You are not going to be able to do cross domain because of the same origin policy.
Sounds like you should do something with greasemonkey or with selenium to automate it.

Fetching all the urls opened in the browser

I know that getRequestURL will fetch me the URL of the page being opened.
I need to know how to get the URLs of all the tabs opened in the browser say firefox.
Is there anyway to achieve this?
This is not possible to do from a regular web page as it would be a serious security issue.
However, it is possible with browser extensions (for example, in Chrome there is a chrome.tabs.getAllInWindow() function available to plugins, and accessing their urls is simply a matter of looping through the tabs returned by that function and reading the .url property. See further documentation here).
From your own web page you should not be able to achieve this, as that would be a breach of the sandboxing these browsers attempt to enforce between tabs. If you launched the other windows via javascript, you may be able to control their content, but only under this circumstance.
You could feasibly write a plugin to run in the browser, but obviously the client would have to install/trust this for it to work.

Categories