Skip to main content

Cross-Site Scripting - (HACK) a way out

I came across to this discovery when i was affronted with the problem of trying to communicate TWO sites on different domain/server and some parameters need to be passed. As you may have “Googled” it, you can’t do outright javaScript function call from your site to a partner site since it resides on different domains. It’s a violation of the Cross-Site Scripting W3C standards for it is highly probable for site security breach.


To make the picture clearer, here’s the scenario. Take for an example your site caters a hotel reservation and you have a partner seller that also maintains a site for marketing. If you want to maximize you potential sales, you’ll opt to let your partner embed/include your reservation site somewhere in their site.
See the diagram now? Partner site e.g resides in www.marketing.com and your site in www.hotelreservation.com, without directly accessing your site, a customer must be able to get a hotel reservation on you partner site. There the problem on how to implement it.


You’re probably going out of your wits trying to figure this out. Many have resulted to go beyond this restriction and rely communication through technologies such as Webservices, Soap, Rest, and the like.


But the big question is what if you can’t afford to build such extravagant service for a small functionality that you want to achieve? Would you rather abandon the idea?


Hold still, there’s still a way out.


The following is a a sample demonstration on how you could pass simple non-high-risk data from your site to your partner site.


Ok, so normally your marketing partner will embed your site in an IFRAME this will act as a widget of your site. Now once the customer clicks and send reservation request through the embedded widget, it must show your reservation site in full and entered values must be passed and kept.


HOW TO


1. Inside the partner page where your “widget” will be embedded, implement the script below.



var lastHash = \"\";
function checkForLocationHash(){
   if(location.hash != lastHash){
      lastHash = location.hash;
      widgetScript(location.hash);
    }
}
setInterval(checkForLocationHash, 200);

2. Implement a method that will do the processing of the passed values and that will show the your reservation site.
e.g.



 function widgetScript(obj){
     var data = obj.replace(/%22/g,\"\\"\");
     var indexOfData = data.indexOf(\"#\") + 1;
     var jObject = data.substring(indexOfData);
	
     window.location.replace(\"www.hotelreservation.com#\" + jObject );                                       
	
}

3. In your widget page (reservation site) implement the object binding and location hash manipulation. Implement this script onClick / onSubmit of reservation.



      var  JSON_OBJECT = \"{\"object_test\" : \"This is a test!\"}\";
       parent.location = \"www.marketing.com#\" +   JSON_OBJECT;

***NOTE: parameter after the HASH tag must not necessarily be a JSON Object. You can use simple value-pair parameters.


The line 



       parent.location = \"www.marketing.com#\" +   JSON_OBJECT;

is the key. See how the parameters are being passed through the hash tag. Without using the POST / GET method, the reservation page (IFRAME) was able to pass values to its parent page which is what we just need.


Now the last part is


4. www.hotelreservation.com must implement a method similar to Step 1 and manipulate the string after the hash tag.

Labels:

Comments

Post a Comment

Popular posts from this blog

Creating Bottom-up Web Service (WSDL)

This post will primarily show you how to create a simple Web Service application through Apache Axis in Eclipse , and will not dwell on explaining the background or functionality of a Web Service. Yet, it’s a de facto to at least give a little definition. WSDL or the Web Services Definition Language is just another specification to describe network XML-based services. It supports message-oriented and procedural approach XML technologies. (for further reading click here ) 1. Preparing the web application a. Create a new web application and name it as “SimpleWebService”. b. Download and add “axis.jar” ( download here ) to the application libraries. c. Edit and add this following configurations to the web.xml file. AxisServlet org.apache.axis.transport.http.AxisServlet AdminServlet org.apache.axis.transport.http.AdminServlet 100 AxisServlet /servlet/AxisServlet AxisServlet *.jws AxisServlet /services/* *Note: spa...
Post a Comment
Read more

How to get rid of VB Script Just-In-Time Debugger Error

Lately i have been pestered with a lame error every time my Windows starts up. The “VB Script Just-In-Time Debugger Error” shows up and it would terminate the explorer.exe process upon clicking OK. Somehow something went wrong in the system but the error does not specifically says what it is. I don’t have a clue how to resolve it. We all know explorer.exe is critical for all windows to work, thus leaving me no choice but to run it manually. For normal users who do not know how to run the explorer.exe manually, they will be paralyzed. They won’t find their way to work it except to ask for help, which sometimes can be so annoying specially when you’re up to finish a deadline. Luckily, i was so persistent enough to search for a solution. Though no one gave the exact process of eliminating this error, I come up to finally solve it through my compilation of readings and i’ll share it with you. Here's how to get rid of this error: 1. Open Regedi...
Post a Comment
Read more

Search Engine Optimization (SEO)

Often we focus our site development mainly on its GUI (Graphical User Interface) and content, although this is very critical and needed, yet we tend to neglect adding some essentials that also need to be considered and included in order to optimize the site search ability. We want surfers to find and read our sites especially if we want to market something, thus it is important to make sure that our site link will be included in the list of search results on any search engines. The question is how will you do it? How will Google, Yahoo, msn etc, will find your site be indexed and included in their search results? There are a lot of things to learn and take into consideration if you want to optimize your site. Before proceeding, I’ll provide primary reference for you to get started before jumping into SEO. Read through this and decide if you need to reconstruct your site or not. Google Webmaster Site – This will acquaint you to search engines basic concepts. Webmaster Guidel...
Post a Comment
Read more