I'm debugging a site that sets cookies via javascript, and I'd like to know exactly which lines are setting cookies as I run the page. Simply combing through the script is not an option because its so convoluted.. (it's not my script if you're wondering)
How can I easily find out which lines are setting cookies? I'm new to this, so if you can explain the exact steps in doing this I'd be very thankful.
I presume that document.cookie is the only way to set cookies with javascript, but if there's another way(s) that'd definitely be helpful to know, as I might've ignored said lines in reading through the script..
Background: I'm on Windows XP
Yes, document.cookie is how JS sets cookies. But remember:
Other parts of the page can set cookies. Cookies are primarily set in the HTTP response headers. Plugins, like Flash, set tons of cookies too.
The actual JS code that sets the cookie may be buried in a library.
It is possible that some programmers obfuscate the JS code, so that a search for "cookie" will fail.
Things to do:
Install the Web Developer add-on. This will allow you to easily see, edit, or delete cookies, for a given page -- including 3rd party cookies.
It also allows you to View the response headers -- to easily see if the cookies are being set that way. (clear cookies, reload the page, click: Information --> View Response Headers.)
Install the Firebug add-on and then the Firecookie plugin for Firebug.
Firecookie can show cookie events as they are happening. This, coupled with observation and use of JS breakpoints (Firebug feature) can help you narrow down where cookies are being manipulated.
Use firebug & firecookie to find the cookie's name. then search that name through the JS files using your IDE search feature.
Related
This is not a question if a web application can be safe/secure to use !!
But if I have a session or encryption key and like to hide it as good as possible on the client side with javascript - what is the best approach?
I wanted to use sessionStorage until I found out that any extension can read this from the content script at least in Chrome. In my view this is a big mistake from the developers as they hide the web pages javascript from the extension but allow it to see web-storage. Everywhere it is stated that the extension can only see the DOM but I do not think most people think that this also include web-storage!
So how can I secure a session key so it is away from reach of an extension? Unable to encrypt it as I then just need to hide the key. The problem is that the session have to be valid for all pages of the site so I can not just keep it in javascript as it is refreshed on each page load.
A cookie is in my view just as bad!
NB: Do not know if this is also a problem for other browsers
An extension, given permission to access your page, can do anything.
A code injected as a <script> tag from a content script into the DOM will execute regardless of your CSP in the context of your page, will full access to your JS context.
That is not to even to mention chrome.debugger API.
So no, you cannot secure your client-side data from extensions that user consented to run on your page, just as you can't secure your data from the browser itself.
Is it possible to get around the security and mimick either a full-browser or mobile browser within a webpage?
I had an idea to set the HTML manually, using an AJAX/XMLHttpRequest ("Get" request)
document.querySelector('#myiframe').contentWindow.document.write("<html><body>Hello
world</body></html>");
(from How to set HTML content into an iframe)
Can anyone verify this is possible? I'm guessing you would lose relevant site date (cookies, cache, etc)
Is it possible to get around the security
Yes, many browsers let you start them in a security-off mode, e.g. on chrome you run the program with the --disable-web-security flag. However, you should never ask a client to do this.
An alternative way would be to write a Java applet, or some other third-party plugin, which fetches the resources you want and then passes it over to the browser with your favourite method, from which you can use JavaScript on the data as desired. This method would lose things like cookies, and might be exploitable so I wouldn't recommend it.
mimick either a full-browser or mobile browser within a webpage?
Finally, if you don't mind the "URL bar" displaying the wrong thing when a user navigates, you could just use the default behaviour. This method is totally acceptable and doesn't circumvent any security.
I was playing around with cookies and stuff, until I noticed a website saying that you can easily set cookies via the navigation bar with one simple code;
javascript: document.cookie="SESSID=IDOFSESSIONHERE;path=/"
while doing this, I could login on one computer, copy the cookie data to another computer, and set the same cookie via this code, after a refresh I was logged in with the same user.
(just on a simple webpage I made myselve)
this seems like a security issue to me, I mean, ofcourse they would first need to get the cookie data, but without that, I imagine that you could do alot of damage with the javascript: from the cookies aside.
Is there any way to prevent the usage of javascript: from the navigation bar?
The user is the security issue not Javascript. The user gave you the session id - i.e. do you give out your keys/passwords to others? If you do what can the site do? Send around a blioke to look over your sholder all the time
Javascript is only excecuted client side, (exception is nodejs). So no harm can be done to the server.
Javascript runs in the users browser.We dont have any control over it.
The thing you can do is to obfuscate or hash variable names and/or values.
See here
You cannot prevent JavaScript usage from the navigation bar. I could visit your website and use the Internet Explorer debug tool, Chrome debug tool or FireBug to launch JavaScript code on your page.
Since JavaScript runs on the on the visitor's local computer, you will have no control over it. Only the visitor has control over what cookies will be stored in the browser.
What you need to do is to take measurements of security server-side. But yes, all authentication-processes that depend on a session cookie will have the security issue you are explaining.
Here's the situation: I'm redesigning our company's public facing website using ASP.NET, VB.NET and some javascript/jquery. Some of the features I'm adding require page reloads (which register as popups) and cookies. Works great if everything is enabled. But I've noticed on some browsers (such as Firefox) I still get prompted to ok these actions, retain these cookies, etc. Now I can code some contingencies for simpler pages for users who will not or can not enable these features, but I'd like to find a way to make it as simple as possible to enable the full features. From what I've read, there's no way I can actually force it to happen the way you can force a browsers document mode by settings in the web.config file, but I am hoping there is some way to give them a button to click (or something similar) where it will enable what I need. Is there a way to do this programmatically? what I'm looking for is some code that will make the changes, instead of directing them to go into e.g. Internet Explorer security settings, which most end users find tedious if not incomprehensible.
Advice?
You can avoid using cookies. Use Session or a database backend for things you would normally use cookies for. For popups, use overlaid divs such as Ajax Control Toolkit Modal Popup Extender or jQuery UI Dialog instead of starting a new browser window.
But really, ASP.NET is designed to function with cookies. If you're users aren't using them, tell them they're penalizing themselves.
Certain browser features are ONLY user-configurable for security reasons. You cannot provide a button to change these settings because they would then not user-configurable.
All you can do is warn the user.
JavaScript cannot change a client browser's setting due to security reason. Otherwise, all hell will break loose.
Note: you can if you create an executable program, and a user runs on his/her computer.
However, you should never change a user's browser setting.
Instead you should give the warning and instruction to a user which is a proper way of doing it.
Disable Javascript
Disable Cookie
I would like to access a website that uses Javascript to set a cookie. The cookie is required for the pages I want to visit.
I found that firewatir can do it, but this requires attaching to actual firefox browser. Are there any solutions that can work without UI running?
Mechanize might be able to do this.
Let us know if it works for you.