0

Somebody entered XSS code in my friend's site. It inserts <script>alert(0)</script> in the page source. You can see it here.

Is there a way to remove this from the page at runtime, to prevent it from being executed?

He has a presentation on it tomorrow and he has no access to database to remove it.

Improve this question
7
  • 8
    You could use the same xss vulnerability to remove it that the other person used to add it, Commented Apr 16, 2013 at 18:42
  • 1
    Does he have access to the serverside code? Commented Apr 16, 2013 at 18:44
  • Why is there no <body> element? Commented Apr 16, 2013 at 18:47
  • 1
    Why not fix the code to properly escape output? If it's his site, clearly he should be able to update it. Commented Apr 16, 2013 at 18:49
  • 1
    the username and password for the db is probably in some plain text file somewhere that lets the page access the data. Commented Apr 16, 2013 at 19:05

2 Answers 2

Reset to default
2

As a really quick fix. If he has access to the javascript he could do a simple trick like below.

   alert = function() {}

This will stop all alerts from firing.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You definitely can't put it in $(function () { }); because that'll be too later to overwrite alert. I'd go back to your original and not include your change, and make sure it's run as soon as possible on the page.
0

You can disable alert on http://technoflexusdatastreamapi.appspot.com/landingpage before loading the data:

$('.viewDataLink').click(function ()
{
    $("#scriptShow").hide();
    $("#showData").show();
    $("#progressAnimation").show();
    var tmpAlert = alert;
    window.alert = function () { };
    $("#showData").load("/listData", function (response, status, xhr)
    {
        if (status == "success")
        {
            $("#progressAnimation").hide();
            window.alert = tmpAlert;
        }
    });
});
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.