I have a security problem in my website. A script code was added into my all pages like "<script src="Ip address/viewpic.asp"></script>" . It is between </head> and <body> tag. Now Google says "this site may be hartful for your pc!" about my site. How can i secure my website? I use C# and Visual Studio 2008.
You have been hacked. This code that has been added to your site is trying to hack web browsers that visit your site.
This could have happened a number of ways. The easist thing for you to do is to download an anti-virus like AVG and scan any machines with access to the site. There is malware that looks for FTP connections, it grabs the username/password then logs in and modifies files it finds. You should be using SFTP which can be installed under windows, FTP is only used by people who don't know any better or love to get hacked, or both.
The more complex possibility is that there is a vulnerability in your site. This requires a professional (Like me) to track down and fix. Acunetix can help find flaws in your site, but this might not find the vulnerability that was used to break in.
Edit: Assuming that the script is your own and not malicious:
You should not have any code between </head> and <body> - Otherwise you have got a <script> tag as a direct child of <html> which is not allowed.
Put the <script> tag inside <body> at the correct place where you want the script to execute, to correct the structural issue but you need to provide some more information about the exact error messages you are seeing about security as I'm not aware that Google shows error messages within its search listings and I dont have Google Toolbar installed to know what that does; but I don't believe it has typos in it ;)
So please provide more information about the exact security warnings once you've fixed - and validated (with the W3C Validator) - the structure of your HTML.
Edit: If the script is not intended to be there and has appeared outside of your desire:
Have a look in the HTML source where the script is present; and compare to your own ASPX pages to find out where the script is appearing. If it is being rendered by one of your controls you need to examine where the value is coming from. If it is a database, you need to focus your attention on what gets the information into the DB in the first place. If the script is injected and not into one of your controls then you should talk to your ISP I would think.
Related
I have a sharepoint at my office. Its 2013 version. Where I want to write some asp code. But the issue is SharePoint is blocking the code and I am getting error "Code blocks are not allowed in this file". I searched google and found several links to solve the issue by saying make some changes to the webconfig file.
Now my question is how do I find the file. Where it is actually.
What I have is a sharepoint, I don't have any designer. I only have admin access for this site. Can some one please guide me.
I know there are several entries here in stackoverflow, but no one is talking about where to find the file.
Please help me.
My apologies if this happens to be a repetition, in that case please point me to the right post. Thank you guys.
By default injecting server-side code (ASP.NET) in SharePoint pages directly from sites is not allowed for performance reasons, and should remain as is.
If you never approched SP developpment and are not an administrator of the farm in your company I strongly advise you to see first if you can solve your needs with client side development (javascript) instead of going to server side (ASP.NET).
SPS2013 comes with the "Script Editor WebPart" that you can use to inject your custom JS on pages. If you need your custom on all pages consider adding your JS on the site's masterpage.
From JS you can use SharePoint REST API to interact with your site https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service
If you need heavy customisation for your site you can move to the addin model (client side) that will require Visual Studio IDE develoment suite.
And last option is if you explicitly require serve side code and/or need to develop a scalable enterprise grade solution, you will need to make a "SharePoint full trust solution package".
PS: You may see articles around about "SharePoint Framework" (aka SPFx), unfortunatly this is not available for SPS2013.
Site has ran in the OWASP ZAP Testing Tool, Getting thowing the cross site scripting error.
please share some remediation Technique to fix XSS Problem.
URL: example.com/sites/javascript:alert(1);/modules/lightbox2/js
Parameter: all
This tool does not provided the following information
1. in which place / which file hacking may occur.
Please advise to how to fix the XSS problem
It looks like the injection might be falling inside of a link href, iframe src, or some other place that handles URL redirection. It is really not possible to tell without seeing where the reflection is in the source or generated source (DOM) of the page.
A generic suggestion would be to have the application remove javascript: (and the various ways of encoding it such as URL, HTML, etc) from user input.
I've been Googling all afternoon with no luck, so I've come to you for help!
I have an embedded system that is hosting the simplest of web pages:
<html>
<head></head>
<body>
<input type="button" value="Run" action="">
</body>
</html>
There is a little more to the page (just some system variables on display), but this is basically all it is. I generate this page from a simple C application that simply creates and updates a small run.html file in the web directory of my embedded system.
What I am TRYING to do, is when a user browses to the page and presses the button, a simple shell script or c app will create a tiny go.txt file with perhaps two characters 'GO' in the file. Just some kind of file to allow another application to eventually know that the button has been pressed.
I theorize that there is some syntax like action="/root/fs/go.sh" that might allow me this kind of access, but my experimentation has yielded no success. I should note that PHP is not enabled on the machine we are using.
My question for the group: is it this simple? Or am I missing some obvious web technology issue and going down a completely wrong path? Any feedback will be greatly appreciated.
Thanks,
To get the desired behaviour, you will have to do some works on the Web server. You will need to have some code on the server that will run the script you want upon receiving the form. The code on the server could be pretty much anything: a PHP script, a CGI application you coded in C, a custom Apache module, etc.
The bottom of this is, you will have to code something on the server side to do support that behavior. There is nothing in the HTML standard that let client request any script to be run on the server.
I am building a website using asp .net. The site uses a Google font this is imported in the masterpage like so...
<link rel="stylesheet" type="text/css" href="//fonts.googleapis.com/css?family=Yanone+Kaffeesatz:400,300,200" media="screen"/>
Note that I have removed the http(s) from the url.
However I still always get the following error in a popup...
"This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?"
I thought that removing the http(s) would ensure that this error would not appear? How do I go about removing it?
I have also tried putting this reference in my css files using an import but I still get the popup.
I don't want to change browser settings as clients can't be expected to do this.
Thank you
I don't know if the solution below is compliant with Google API's Terms of Service.
The error you have is due to a Cross-Domain request (the popup is known as the Cross-Domain Data Access dialog).
To avoid this dialog, you can host the .css file & the related font files on the same domain has your website.
So one of the many many tasks I'm faced with daily as a developer is trying to get our support department to get as much information about the end users environment as possible.
Browser version, current cookies, plugins, etc etc and it would be handy to point people to a specific page on our site and say "copy paste this to support".
In the past I've always written these by hand, and used third party tools (such as BrowserHawk) to get as much info as possible.
How does everyone else deal with getting this information from end users, is there a nice package I'm unaware of to give a detailed dump a users env without having to get the users to run an app?
Just to clarify I'm not looking at an elmah style reporting (which is very helpful as well!) but this mainly for the client side stuff.
Some months ago I have see the googles ads page have a cool nice report button. What this button do is that capture using javacript the page as it is and send you the report, with all the details, and an image of the actually page.
So I have found this library http://html2canvas.hertzen.com/ that make the same think.
And here are some example pages with this feedback.
http://hertzen.com/experiments/jsfeedback/
So I add this feedback option, and I ask from the users to point out the issue, and send the feedback, so for pages I have a very nice image for what is not going well.
The next think is that I log and check all errors, and I fix them soon.