I would like to access a website that uses Javascript to set a cookie. The cookie is required for the pages I want to visit.
I found that firewatir can do it, but this requires attaching to actual firefox browser. Are there any solutions that can work without UI running?
Mechanize might be able to do this.
Let us know if it works for you.
Related
Is it possible to get around the security and mimick either a full-browser or mobile browser within a webpage?
I had an idea to set the HTML manually, using an AJAX/XMLHttpRequest ("Get" request)
document.querySelector('#myiframe').contentWindow.document.write("<html><body>Hello
world</body></html>");
(from How to set HTML content into an iframe)
Can anyone verify this is possible? I'm guessing you would lose relevant site date (cookies, cache, etc)
Is it possible to get around the security
Yes, many browsers let you start them in a security-off mode, e.g. on chrome you run the program with the --disable-web-security flag. However, you should never ask a client to do this.
An alternative way would be to write a Java applet, or some other third-party plugin, which fetches the resources you want and then passes it over to the browser with your favourite method, from which you can use JavaScript on the data as desired. This method would lose things like cookies, and might be exploitable so I wouldn't recommend it.
mimick either a full-browser or mobile browser within a webpage?
Finally, if you don't mind the "URL bar" displaying the wrong thing when a user navigates, you could just use the default behaviour. This method is totally acceptable and doesn't circumvent any security.
I was playing around with cookies and stuff, until I noticed a website saying that you can easily set cookies via the navigation bar with one simple code;
javascript: document.cookie="SESSID=IDOFSESSIONHERE;path=/"
while doing this, I could login on one computer, copy the cookie data to another computer, and set the same cookie via this code, after a refresh I was logged in with the same user.
(just on a simple webpage I made myselve)
this seems like a security issue to me, I mean, ofcourse they would first need to get the cookie data, but without that, I imagine that you could do alot of damage with the javascript: from the cookies aside.
Is there any way to prevent the usage of javascript: from the navigation bar?
The user is the security issue not Javascript. The user gave you the session id - i.e. do you give out your keys/passwords to others? If you do what can the site do? Send around a blioke to look over your sholder all the time
Javascript is only excecuted client side, (exception is nodejs). So no harm can be done to the server.
Javascript runs in the users browser.We dont have any control over it.
The thing you can do is to obfuscate or hash variable names and/or values.
See here
You cannot prevent JavaScript usage from the navigation bar. I could visit your website and use the Internet Explorer debug tool, Chrome debug tool or FireBug to launch JavaScript code on your page.
Since JavaScript runs on the on the visitor's local computer, you will have no control over it. Only the visitor has control over what cookies will be stored in the browser.
What you need to do is to take measurements of security server-side. But yes, all authentication-processes that depend on a session cookie will have the security issue you are explaining.
I have a URL rewriting proxy server (EZproxy) that can be set up like this to provide one-click access to target URL's, providing an authentication challenge when needed but getting out of the way when it's not needed.
http://url-rewriting-proxy-server.com/login?url=http://target-url.com
I would like load a URL like above and then stop the page, only loading the <head></head>.
I would like to use a bookmarklet (server side code is OK) to accomplish this.
Can I do this programmatically with Javascript? If so, how? If Javascript is a bad idea, are there alternatives?
Will your solution work in Mobile Safari?
Maybe
window.stop();
is what you are looking for
I'm debugging a site that sets cookies via javascript, and I'd like to know exactly which lines are setting cookies as I run the page. Simply combing through the script is not an option because its so convoluted.. (it's not my script if you're wondering)
How can I easily find out which lines are setting cookies? I'm new to this, so if you can explain the exact steps in doing this I'd be very thankful.
I presume that document.cookie is the only way to set cookies with javascript, but if there's another way(s) that'd definitely be helpful to know, as I might've ignored said lines in reading through the script..
Background: I'm on Windows XP
Yes, document.cookie is how JS sets cookies. But remember:
Other parts of the page can set cookies. Cookies are primarily set in the HTTP response headers. Plugins, like Flash, set tons of cookies too.
The actual JS code that sets the cookie may be buried in a library.
It is possible that some programmers obfuscate the JS code, so that a search for "cookie" will fail.
Things to do:
Install the Web Developer add-on. This will allow you to easily see, edit, or delete cookies, for a given page -- including 3rd party cookies.
It also allows you to View the response headers -- to easily see if the cookies are being set that way. (clear cookies, reload the page, click: Information --> View Response Headers.)
Install the Firebug add-on and then the Firecookie plugin for Firebug.
Firecookie can show cookie events as they are happening. This, coupled with observation and use of JS breakpoints (Firebug feature) can help you narrow down where cookies are being manipulated.
Use firebug & firecookie to find the cookie's name. then search that name through the JS files using your IDE search feature.
I'm working on an AJAX application that pulls data from a live website, I can't replicate the complete application on my local environment at the moment so in order to test if the JavaScript code is working as expected I need to be able to bypass the same domain restriction on the browser (without making changes on the webserver) any suggestion will be greatly appreciated.
So far I have tried modifying the prefs.js in Firefox 2 and Camino including the lines suggested in this link: http://www.zachleat.com/web/2007/08/30/cross-domain-xhr-with-firefox/
Thanks in advance.
Edit 04/29/2009 3:18pm:
I agree the proxy option is definitely a way to go. But would it be possible to have a solution using just Firefox? (maybe an add-on?)
If you can change the endpoint URL you could bounce the requests through your local server, either with mod_rewrite or a simple script.
This has the advantage that you can easily log the requests and responses, and alter them (e.g. send back timeout errors, bad data and the like).
Well, for viewing the requests/stepping through the js try using Firebug.