This morning I woke up to a JavaScript alert on a project of mine that runs KnockoutJS, jQuery, and Underscore.js. It says "I can run any JavaScript of my choice on your users' browsers". The only third-party JavaScript I am downloading is Typekit, and removing that does not make this go away. I've searched my JavaScript and vendor JavaScript and this string does not e back up matching anything.
How would you troubleshoot this and/or is this something that is known to occur?
This morning I woke up to a JavaScript alert on a project of mine that runs KnockoutJS, jQuery, and Underscore.js. It says "I can run any JavaScript of my choice on your users' browsers". The only third-party JavaScript I am downloading is Typekit, and removing that does not make this go away. I've searched my JavaScript and vendor JavaScript and this string does not e back up matching anything.
How would you troubleshoot this and/or is this something that is known to occur?
Share Improve this question edited Apr 23, 2012 at 19:13 Peter Mortensen 31.6k22 gold badges110 silver badges133 bronze badges asked Apr 23, 2012 at 14:37 Jeremy SmithJeremy Smith 15.1k19 gold badges70 silver badges115 bronze badges 8- 11 It is injection not in your JS but in your DB :) You didn't sanitize user's input data – fl00r Commented Apr 23, 2012 at 14:38
- 1 Are you importing any advertisements or something like that? It's probably impossible to say without actually looking at the site. – Pointy Commented Apr 23, 2012 at 14:39
- 7 Count yourself lucky they were nice about it, could've been much worse – Mike Robinson Commented Apr 23, 2012 at 14:40
- 3 Yeah, I would take that warning pretty seriously. – wholerabbit Commented Apr 23, 2012 at 14:41
- 2 @Neil it could be a random user input too – pomeh Commented Apr 23, 2012 at 14:44
3 Answers
Reset to default 13If you have a database for your application, that would be the next place to check. I'm guessing somebody found and exploited an Injection vulnerability (either un-sanitized HTML input or SQL) and injected the script into a page via the database.
The last place would be to look at the ruby code to see if somehow a malicious user modified your source.
You obviously take an input from user and then outputting it back as part of HTML without quoting or sanitizing. There's two quick checks to do:
1) Open source of page that outputs this alert and search inside source for exact text of alert - this should give you clear indication of what user-filled field is promised. 2) To be sure, search all other fields in your database generated by users (login names, text of ments, etc.) for words "script" and "alert".
For future: always sanitize your input (remove HTML tags) before inserting it in HTML page OR escape symbols as entities according to standards OR explicitly treat is a plain text by assigning it to value of text node in DOM.
It sounds like a hack attempt on your site. Check any databases, text files, etc. that are being used that are receiving user input. It sounds like you're not checking what's being posted to your server I'm guessing.