Possibly simple solution, but I can't understand why my attempt to run this alert script on my welcome page via XSS input on the index page doesn't work.
I have a simple index.htm page with a form:
<!DOCTYPE html>
<html>
<body>
<form method="post" action="welcome.php">
Name: <input type="text" name="name">
<input type="submit">
</form>
</body>
</html>
And the welcome.php file:
<!DOCTYPE html>
<html>
<body>
<h3> Welcome <?php echo $_POST['name']; ?> </h3>
</body>
</html>
As a visitor to the index.php page, in the Name field I attempted to enter:
<script>alert("pwned")</script>
This has nothing to deal with PHP itself, as most browsers has XSS auditor which will try to protect the user from know XSS attacks
Running your example would result in:
The XSS Auditor refused to execute a script in 'http://localhost:9093/welcome.php' because its source code was found within the request. The auditor was enabled as the server did not send an 'X-XSS-Protection' header.
For more information, you can check this question
Related
Trying to implement Google Places API, to look for businesses.
I am trying to break down the result in different sections (name,address,city...) to stick it in a form.
Doing a bit of research, I have actually found the ultimate code to copy. However, I am using Django and I am too much of a newbie in coding, to understand how to alter the code to make it work with the framework. (https://jsfiddle.net/geocodezip/ep5aw171/1/)
Here is the code I have:
js file
function initMap(){
autocomplete = new google.maps.places.Autocomplete(document.getElementById("input"),{
componentRestrictions: {'country':['uk']},
fields: ['name','geometry'],
types:['establishment']
});
autocomplete.addListener('place_changed');
}
html
<html>
<h1>Google Places API Test</h1>
<body>
<input id="input" placeholder="*Name API" style="height: 75px; width:1000px">
<script src="{% static 'google_places_names.js' %}"></script>
<script async defer src="https://maps.googleapis.com/maps/api/js?key=xxx&libraries=places&callback=initMap"></script>
</body>
</html>
This bit works. When I type an address, I get the address of the what I am looking for (see screenshot)
Given that I am planning to use a django form to capture the information, I am assuming the html to look like this:
<html>
<h1>Google Places API Test</h1>
<body>
<input id="input" placeholder="*Name API" style="height: 75px; width:1000px">
<form id="GoogleAPI" method="POST" action="{% url 'google_api_test'%}">
{% csrf_token %}
<label for="address" class="hidden-el" hidden>Address</label>
{{form.name}}
<label for="address" class="hidden-el" hidden>Address</label>
{{form.address}}
...
</form>
<script src="{% static 'google_places_names.js' %}"></script>
<script async defer src="https://maps.googleapis.com/maps/api/js?key=xxx&libraries=places&callback=initMap"></script>
</body>
</html>
Looking at the different answers on the topic, there seems to be lot of code to write,so I am expecting anyone to do this here. But I wondering if someone may know a link to a Django tutorial for Google API for businesses (establishment). Found a few online, but they do not cover establishements and the approach appears to be different.
I understand the next step would be to call is to call autocomplete.getPlace() within a function. But all attempts I made proved to unsuccessful.
Would be grateful if anyone had any pointers!
How to get the HTML text box value to show alert message in office share point.
function show(){
alert('test:' + $("#txtPrice").val());
}
After I have deployed the project from visual studio (successful deploy) and I go to my office share point site the alert is not showed. How can I get the text box value?`
Where you Call your show function?
Have you load jQuery library?
You'd better provide more details for your solution.
Update:
The code is fine, make sure the jQuery library is loaded correctly and try to add your site to trust site to check whether you disable JavaScript for your browser.
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta charset="utf-8" />
<script type="text/javascript" src="https://code.jquery.com/jquery-1.12.4.js"></script>
<script type="text/javascript">
function show() {
alert('test:' + $("#txtPrice").val());
}
</script>
</head>
<body>
<input id="txtPrice" type="text" />
<input type="button" value="Submit" onclick="show();" id="btnCreate" />
</body>
</html>
I have been tasked with finding out how to integrate SAML single log in with an existing application. And Im finding it MORE than difficult to find answers past setting up an Identity Provider.
For a first pass attempt I have set up Google G-suite SAML app...
I have the information ( entityId, ACS url, IDP Metadata xml )
I have set up a URL for a test application, and I'm trying to find ANY information on what to write... I can find NO code samples...Of course I can find other service providers "implementation" samples, but that doesn't help me, as my app will be the service provider.
ANY Help on this, how to code a 'log in' button for google SAML App.
Here is the code Im trying - it's in coldfusion, but you'll get the gist - response is status code 400
<cfsavecontent variable="req">
<cfoutput>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="!!!!!GENERATEDUNIQUEREQUESTID!!!!!"
Version="2.0"
ProviderName="SP test"
IssueInstant="2014-07-16T23:52:45Z"
Destination="https://CLIENTSITE.MYDOMAIN.com/samlLogin"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://saml.MYDOMAIN.com/acs/process">
<saml:Issuer>https://saml.MYDOMAIN.com/sp/entityId</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
</cfoutput>
</cfsavecontent>
<html>
<head>
</head>
<body>
<cfoutput>
<div>
<form id="login-google" action="https://accounts.google.com/o/saml2/idp?idpid=!!!!!IDCODE!!!!!" method="post">
<input type="hidden" name="SAMLResponse" value="#toBase64( trim( req ), 'utf-8' )#" />
<input type="submit" value="Login" />
</form>
</div>
</cfoutput>
</body>
</html>
I am at learning stage in ColdFusion. Now I am trying to execute below code to display variable content by using <cfset> and <cfoutput> tags. I completed my server installation and I am able to login to server with admin credentials. But it executed as normal html page, not getting the result from ColdFusion tags.
Do I need to install anything apart from this?
<!DOCTYPE html>
<html>
body>
<body background="download.jpg">
<cfset name ="swanav"/>
<cfoutput>#name#</cfoutput>
</body>
</html>
A small correction to your code,
<!DOCTYPE html>
<html>
<body background="download.jpg">
<cfset name="swanav" />
<cfoutput>#name#</cfoutput>
</body>
</html>
The code needs to be placed in,
/cfusion/wwwroot
I've gone through the installation steps in the django-rest-framework-jwt docs and I am unable to run the curl $ curl -X POST -d "username=admin&password=abc123" http://localhost:8000/api-token-auth/. I CANNOT get back the token! Instead I got back CSRF cookie error:
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="robots" content="NONE,NOARCHIVE">
<title>403 Forbidden</title>
</head>
<body>
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
<p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
<p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for 'same-origin' requests.</p>
</div>
<div id="info">
<h2>Help</h2>
<p>Reason given for failure:</p>
<pre>CSRF cookie not set.</pre>
<p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:</p>
<ul>
<li>Your browser is accepting cookies.</li>
<li>The view function passes a <code>request</code> to the template's <code>render</code> method.</li>
<li>In the template, there is a <code>{% csrf_token %}</code> template tag inside each POST form that targets an internal URL.</li>
<li>If you are not using <code>CsrfViewMiddleware</code>, then you must use <code>csrf_protect</code> on any views that use the <code>csrf_token</code> template tag, as well as those that accept the POST data.</li>
</ul>
<p>You're seeing the help section of this page because you have <code>DEBUG = True</code> in your Django settings file. Change that to <code>False</code>, and only the initial error message will be displayed. </p>
<p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
</div>
</body>