Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Aug 2010
    Posts
    35
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Shoutbox JavaScript Security

    My shoutbox is constantly getting hacked the JavaScript code is below. I suspect they are exploiting the same origin policy. The hackers are using administrator's usernames and spamming lots of offensive messages into the database. Any help would be much appreciated, thank you.

    Code:
    /***************************/
    //@Author: Adrian "yEnS" Mato Gondelle & Ivan Guardado Castro
    //@website: www.yensdesign.com
    //@email: yensamg@gmail.com
    //@license: Feel free to use it, but keep this credits please!					
    /***************************/
    
    $(document).ready(function(){
    	//global vars
    	var inputUser = $("#nick");
    	var inputMessage = $("#message");
    	var loading = $("#loading");
    	var messageList = $(".content > ul");
    	
    	//functions
    	function updateShoutbox(){
    		//just for the fade effect
    		messageList.hide();
    		loading.fadeIn();
    		//send the post to shoutbox.php
    		$.ajax({
    			type: "POST", url: "shoutbox.php", data: "action=update",
    			complete: function(data){
    				loading.fadeOut();
    				messageList.html(data.responseText);
    				messageList.fadeIn(2000);
    			}
    		});
    	}
    	//check if all fields are filled
    	function checkForm(){
    		if(inputUser.attr("value") && inputMessage.attr("value"))
    			return true;
    		else
    			return false;
    	}
    	
    	//Load for the first time the shoutbox data
    	updateShoutbox();
    	
    	//on submit event
    	$("#form").submit(function(){
    		if(checkForm()){
    			var nick = inputUser.attr("value");
    			var message = inputMessage.attr("value");
    			//we deactivate submit button while sending
    			$("#send").attr({ disabled:true, value:"Sending..." });
    			$("#send").blur();
    			//send the post to shoutbox.php
    			$.ajax({
    				type: "POST", url: "shoutbox.php", data: "action=insert&nick=" + nick + "&message=" + message,
    				complete: function(data){
    					messageList.html(data.responseText);
    					updateShoutbox();
    					//reactivate the send button
    					$("#send").attr({ disabled:false, value:"Shout it!" });
    				}
    			 });
    		}
    		else alert("Please fill all fields!");
    		//we prevent the refresh of the page after submitting the form
    		return false;
    	});
    });

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,979
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    This has nothing to do with Java, moving to Javascript.
    If the 'hacker' is using administrative usernames, then change the usernames.

  • #3
    New Coder
    Join Date
    Aug 2010
    Posts
    35
    Thanks
    6
    Thanked 0 Times in 0 Posts
    They are using usernames of already existing administrators and impersonating them they must be changing a variable somehow.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •